Slashdot Mirror

← Back to Stories (view on slashdot.org)

Personal Healthcare Info of Over 11M Premera Customers Compromised

Posted by Soulskill on from the another-day,-another-breach dept.

An anonymous reader writes: U.S. healthcare provider Premera Blue Cross has suffered a data breach that resulted in a potential compromise of personal, financial and health-related information of as many as 11 million applicants and members. The breach was detected on January 29, 2015, and the investigation mounted by the company and by forensic investigators from Mandiant has revealed that the initial attack happened on May 5, 2014. The FBI has also been notified, and is involved in the investigation."

69 comments

  1. This plus Anthem (also Blue Cross) by the_skywise · · Score: 3, Informative

    And they've compromised about 5% of the US population...

    1. Re:This plus Anthem (also Blue Cross) by ColdWetDog · · Score: 2, Funny

      So, pretty much everyone with insurance?

      --
      Faster! Faster! Faster would be better!
    2. Re:This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 0

      In the land of litigation, why isn't the people shredding these companies to pieces in trials? Do you automatically sign away your rights to do so when getting insurance or something?

    3. Re:This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 3, Informative

      Not 5%.

      The Anthem hack was 80 million people. This brings it to 91. That's 28% of the US population who have had their entire identity stolen.

    4. Re:This plus Anthem (also Blue Cross) by ColdWetDog · · Score: 2, Informative

      Because you have to be able to show you suffered a loss. No, and loss of privacy rarely counts (you need a really good lawyer to push that one). Not to worry, however - after some period of time and a few more breaches, the Class Action lawyers will crawl out of the woodwork and after a few more years, get some settlement from the various insurance companies that offers the lawyers a couple of million for them and free credit reporting for the Rest of Us.

      By that time the SCO case will have finally been adjudicated.

      --
      Faster! Faster! Faster would be better!
    5. Re:This plus Anthem (also Blue Cross) by the_skywise · · Score: 1

      My bad - the last number I recalled hearing was 25 million (including me)

    6. Re:This plus Anthem (also Blue Cross) by rogoshen1 · · Score: 1

      For the longest time i was in favor of nationalized healthcare; but now in the era of 'big data' (pardon the buzzword, my soul dies a little bit every time i say stuff like that) -- i'm not so sure.

      Do the pros (lower cost, fewer people without coverage) outweigh the cons? (data breaches, loss of privacy, potential for governmental abuse, and/or sticking their snouts where they don't belong)

      Seeing private companies suffer from lack of security, and the potential ramifications -- a government run 'insurance' setup would be a much larger target, and while it's cliche, due to bureaucratic incompetence might even have even more lax security standards =/

    7. Re:This plus Anthem (also Blue Cross) by Jason+Levine · · Score: 1

      It's curious that they and Anthem discovered the breaches on the same day. I know coincidence doesn't prove a linkage, but still this seems a bit suspicious.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    8. Re:This plus Anthem (also Blue Cross) by g0bshiTe · · Score: 1

      Rights in America are now only for corporations.

      --
      I am Bennett Haselton! I am Bennett Haselton!
    9. Re:This plus Anthem (also Blue Cross) by xra · · Score: 1

      Do youl file taxes with the IRS? Do you own a passport? The government already has plenty of your data. Healthcare won't change much.

    10. Re:This plus Anthem (also Blue Cross) by Bing+Tsher+E · · Score: 3, Insightful

      Social Security numbers shouldn't be considered confidential. It should be impossible for financial services to use a person's SSN for any purpose for which they assume it is private or confidential.

      The government could neuter the whole issue by publishing everyone's SSN in a big digest. Names alongside SSNs.

      The SSN was never intended as anything but an index for the Social Security System. That financial institutions have instrumented it into being a 'secret' that people use to secure 'credit' should be thrown right back in the face of the Financial Institutions.

      It could start by a reasonable percentage of us agreeing to have our SSNs published. We would decree that the SSN was never intended to be 'secure' and that it is not our liability how our SSNs are used. If, say, 10% of the population agreed to be published in this way it would take down the ability of the credit industry to use SSNs for anything.

    11. Re:This plus Anthem (also Blue Cross) by dave420 · · Score: 1

      Even if there were data breaches left right and center, I'm sure that would be better than the cluster-fuck of healthcare in the US. As has already been pointed out, the government already has your data, so you'd lose nothing, but gain a lot of money, free time, and improved outcomes.

    12. Re:This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 0

      In the same boat.

      It is damnable to me that I'm required to purchase insurance, and essentially gamble that there won't be some data theft. I haven't seen the same for auto insurance (US), so I wonder if their security practices are better, or are they just not as big of a target.

      It seems the next round legislation should be heavy penalties for security breaches, but that may be decades in coming. In the meantime, I'm forced to risk financial ruin in order to comply with the law, and can't even compare insurers based upon their security.

      That is down-right evil.

    13. Re:This plus Anthem (also Blue Cross) by Penguinisto · · Score: 1

      True... my old USAF dog tags have my SSN stamped onto them. Folks used to put their SSN on their checks alongside their name and address. Until recently, many states used your SSN as your drivers' license number.

      It was never, ever intended to be some secret passcode that unlocks your data, nor should it be. The sooner financial institutions (and credit reporting agencies!) stop using it, the better. The only thing I fear with doing so is that such institutions will demand more intrusive means of identifying you, such as a DNA sample, iris print, thumbprint, etc.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    14. Re:This plus Anthem (also Blue Cross) by DarkOx · · Score: 1

      Do youl file taxes with the IRS? Do you own a passport? The government already has plenty of your data. Healthcare won't change much.

      Spoken like a true ACA apologist. Before that law went into effect, the 'data' the IRS or State Dept had on me was all largely discoverable through a few simple public records searches, and a beginners OSINT effort. Not all my salary would be hard to determine specifically, and my SSN might be moderately difficult to discover. Otherwise the IRS had name, address, phone, bank account numbers (anyone who has ever handled a check you have written has access to that), DOB (you probably share that on FaceSpace), number of kids (already public record), marital status (again already public record).

      Letting the government in on medical history is an entirely new and invasive situation for anyone who hasn't filed for Medicare / SS Disability. Quit trying to pretend different.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    15. Re:This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 0

      Because of tort "reform", forced arbitration clauses, etc. which only benefit big corporations and/or wealthy people.

    16. Re:This plus Anthem (also Blue Cross) by xra · · Score: 2

      Do youl file taxes with the IRS? Do you own a passport? The government already has plenty of your data. Healthcare won't change much.

      Spoken like a true ACA apologist.

      Agreed, and this apologist enjoy very much his CANADIAN Universal Single Payer Health Insurance.

    17. Re:This plus Anthem (also Blue Cross) by sjames · · Score: 1

      The government already has all of your data. It might as well use it for something actually helpful to you.

      Private insurance has already created billing paperwork MORE complex than government billing, so no loss there.

      The big difference is that the back end costs would be incurred by the one entity that has actual power to demand that medical suppliers quit ripping off their customers.

    18. Re:This plus Anthem (also Blue Cross) by HiThere · · Score: 1

      The problem is that the current "nationalized health care" wasn't designed to reduce the costs of the system, merely to increase coverage, which I will admit is a good point.

      A decent system would have started by saying that insurance was a lousy model for any cost which you know will be incurred...and removed the insurance companies from the scam. That action alone would have cut the costs by probably 50%. Then it would have cut back tremendously on the paperwork. Get rid of all this "justification for performance of this laboratory test requested by a doctor". Even allowing for an increase in the number of unneeded tests this would probably shave another 50% off the system. So much of the costs of the system are tied up in bookkeeping games that it's unreal. Then, using a very conservative definition of "unnecessary" cut unnecessary medical procedures out of the system. Perhaps they could be covered by additional "insurance" policies...though that's not the kind of thing insurance likes to cover. But there's no need to cover plastic surgery except in cases like, e.g., reconstructive surgery after an accident. And perhaps "really major medical" could be covered by insurance. That's a thing that actually *is* suitable for the insurance model.

      OTOH, this *would* mean increased governmental data collection...except that they were doing it anyway, so I'd just like to get some benefit out of all that government intrusion. If you don't support governmental coverage of health because it increases governmental intrusion, first ensure that you get rid of the governmental intrusion if you don't have it.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    19. Re: This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 0

      "Do the pros (lower cost..."

      Omg this is the funniest fucking thing ive read in a loooong time. Thank you.

    20. Re:This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 0

      Enjoy?

    21. Re:This plus Anthem (also Blue Cross) by dkman · · Score: 1

      This.

      How often do you hear about a government personal info data breach? The DMV, IRS, VA? Part of the problem is that the insurance companies are only interested in fleecing their customers for as much as possible. They're not interested in protecting your data, so it slips through their fingers. "Oopsie, sorry about that." is all we get.

      The government, OTOH, is interested in data security. If there were a breach on that side the government also has the power to track you down and throw you in Gitmo claiming you threatened national security. Random corp doesn't have that kind of power.

      --
      I refuse to sign
    22. Re: This plus Anthem (also Blue Cross) by Anonymous Coward · · Score: 0

      You can have a single payer, and have multiple private companies administer, as is much of the Medicare and Medicaid system today.

  2. Full Disclosure, please? by hipsterdufus · · Score: 3, Insightful

    As an admin, I'd love to see the actual technical aspects of the breach. How did they get in? How did they compromise your security? How long were they in the system before being detected? How did you detect them? Were you logging information that did catch them, but some oversight caused that data to be missed? How do you KNOW they are out of the system without flattening the entire infrastructure?

    Knowing this data can help security professionals add more security layers to keep the evil-doers out of the network.

    1. Re:Full Disclosure, please? by ColdWetDog · · Score: 1

      An admin, huh? With those sorts of questions, you are undoubtedly a criminal. Or someone who could become a criminal under certain circumstances and we can't have that.

      Please keep your hands away from your lap and the keyboard. We shall be with you in a moment.

      --
      Faster! Faster! Faster would be better!
    2. Re:Full Disclosure, please? by Anonymous Coward · · Score: 0

      He's not a criminal. He's a witch! Burn him!

    3. Re:Full Disclosure, please? by Anonymous Coward · · Score: 0

      As an admin

      Don't you mean as an IT drone?

    4. Re:Full Disclosure, please? by grep+-v+'.*'+* · · Score: 1

      How do you KNOW they are out of the system without flattening the entire infrastructure?

      Because we turned off the latest version of the PC Anywhere and Carbon Copy boxes that didn't use passwords to login. How else could they have entered the system? (Don't ask about the VLC box, we're still trying to locate it.)

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    5. Re:Full Disclosure, please? by Anonymous Coward · · Score: 0

      An admin, huh? With those sorts of questions, you are undoubtedly a criminal.

      Hmmm... And YOU must be upper management... Distant from the trenches with a disconnected understanding of it.

      I'm an Admin too, and I think the questions are valid. To stop the bad guys we need to understand how they think and what tools and techniques they use. Like a police detective needs to think like a criminal in order to solve a crime or a home security officer needs to think like a burglar. If someone breaches a house from its window, then we need to know that so we can put better locks on our windows.

    6. Re:Full Disclosure, please? by CaptainDork · · Score: 1

      I'm and admin as well and I find that in several months there will be an anatomy of the breach posted in several stories.

      --
      It little behooves the best of us to comment on the rest of us.
    7. Re:Full Disclosure, please? by Thud457 · · Score: 1

      Being an admin and being a witch are not mutually exclusive.
      And both imply arcane knowledge that is beyond the reality of the mundane.
      Either way, not somebody to be trifled with. Or trusted.

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    8. Re:Full Disclosure, please? by Anonymous Coward · · Score: 0

      Premera Blue Cross Breach Exposes Financial, Medical Records

      https://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/ ...
      On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.

      “It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago. ...

    9. Re:Full Disclosure, please? by stackOVFL · · Score: 1

      And why do Admin's burn?????

  3. Again... by Anonymous Coward · · Score: 0

    Yet another company that "protect your data", that failed to do so.

    If you don't depend on them, then you have no reason to provide them with information. No need to pay them with money or by giving up your control.

    1. Re:Again... by g0bshiTe · · Score: 1

      That could be true, but since passing of ACA we are now required to pretty much use exchanges what choices do we have?

      In this case say my identity is compromised, I have recourse say it happens on the Fed exchange I will have zero recourse.

      --
      I am Bennett Haselton! I am Bennett Haselton!
  4. Another reason not give SSN to healthcare provider by schwit1 · · Score: 1
    They don't need it
    They won't protect it
    They will share it
    They are not liable when it is stolen

    There is no upside for customer

  5. First Anthem BCBS, now Premera by thebryce · · Score: 1

    wow, first Anthem BCBS, and now Premera BCBS.

    1. Re:First Anthem BCBS, now Premera by RavenLrD20k · · Score: 1

      Actually Vice Versa. Premera got hacked long before Anthem; Anthem just didn't have nearly as much time between breach and releasing the fact to the public as Premera did.

  6. according to mister whois by nimbius · · Score: 1

    Updated Date: 19-jan-2015
    Creation Date: 20-mar-2012
    Expiration Date: 20-mar-2016

    so, uh....exactly how long did we know/did we think this would become a massive fucking issue?

    --
    Good people go to bed earlier.
    1. Re:according to mister whois by Anonymous Coward · · Score: 0

      Wayback Machine has no past history either, just the go-live on march 17th.

  7. No Imminent Danger by rfrenzob · · Score: 1

    I for one am glad that there is no imminent danger from anyone compromising health information.

    1. Re:No Imminent Danger by Jason+Levine · · Score: 1

      As an identity theft victim, this doesn't surprise me. The whole system is set up to protect the large companies from any liability should your personal information be misused and to place the burden on you to prove that it was indeed misused.

      Given that names, DOB, address, and SSN were likely breached - which together could be used to open credit lines in a person's name - my recommendation would be to freeze your credit if you were one of the affected. It's a pain because you can't open up any new lines of credit yourself unless you first thaw your credit (and pay for it), but neither can anyone else.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:No Imminent Danger by Anonymous Coward · · Score: 0

      If a company gives credit to someone using your name, DOB, and SSN and they come after you expecting payment or it negatively affects your credit rating then it is the company's fault for doing so. You are an innocent victim of the failure of the company to verify who they gave credit to.

      Have a lawyer send a very nasty letter to the company and the credit agencies and tell them your lawyer will bill them for the time it takes to clear up the mess that THEY have caused. Don't accept fault like they expect everyone to do. You can't show damages for when the data was taken, but you can show damages when it is used.

  8. Re:Another reason not give SSN to healthcare provi by Anonymous Coward · · Score: 1

    No choice. They'll get it anyways. My employer gave it to Aetna without my permission.

    I had a procedure done at a hospital recently. During registration, I glanced at the computer screen and they had my freakin drivers license photo! This was a private for-profit hospital and they have realtime access to the DMV database, so SSN should be easy.

  9. Re:Another reason not give SSN to healthcare provi by Anonymous Coward · · Score: 1

    Good luck with that.

    Doctors offices are the most incompetent people when it comes to business.

    When I put up a fuss, there's always this "office manager' who insists they need it for "identification purposes".

    Medical is extremely careless with our information and when you try to take prudent precautions, they get all bitchy.

    Or as an ex-medical consultant friend of mine liked to say, "Doctors let their wives play office manager and the trouble is, doctors marry women who flunk out of beauty school."

  10. Re:Another reason not give SSN to healthcare provi by Dutch+Gun · · Score: 3, Insightful

    I've heard about protecting your SSN nearly my entire life. Can anyone actually steal your identity with just your SSN? Given the world we live in nowadays, what sort of half-wit organization would consider your SSN some personal passcode that no one else should know? Frankly, I think we should just make them all public records, and then get over the asinine notion that we can use them as some sort of damned security code. As has been aptly demonstrated, it's not like we can really keep them secret for long anyhow. You're constantly forced to give it to strangers. What sort of "secret number" is that?

    Sorry, I'm not ranting at you. The inability of major corporations to keep customer data secret is really getting on my nerves. It's just ridiculous.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  11. This will continue by Anonymous Coward · · Score: 0

    This will continue to happen until the C-level executives are held personally liable for the lack of effective security. (Threaten to) send the CEO, CFO etc. to jail and they'll soon change things for the better. Fines against the business wont work since they'll just get passed on to the consumer.

  12. Re:Another reason not give SSN to healthcare provi by ColdWetDog · · Score: 1

    You picked up a clue with the words 'half-wit'.

    --
    Faster! Faster! Faster would be better!
  13. Where's the money? by Anonymous Coward · · Score: 0

    So, who is the customer for all of this stolen health and patient information? Who is it valuable to? The hackers would only do this to sell this to someone. Why do I suspect that it's insurers themselves that want this data?

  14. So HIPAA applies to ... by CaptainDork · · Score: 1

    ... ???

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:So HIPAA applies to ... by Anonymous Coward · · Score: 1

      Only covered entities. I work for a company that sells health records, and HIPAA does not apply to us. We help companies make sure they don't hire employees with health problems.

    2. Re:So HIPAA applies to ... by Rougement · · Score: 4, Insightful

      Your company sounds completely evil.

    3. Re:So HIPAA applies to ... by CaptainDork · · Score: 1

      You're full of shit.

      I'm in the legal profession and we just did a hell of a lot of work to silo HIPAA-related documents and exhibits to comply with the "Business Associate" part of this:

      If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

      --
      It little behooves the best of us to comment on the rest of us.
  15. Medical Privacy by Shadow+IT+Ninja · · Score: 1

    The main discussion on this breach, as well as others involving medical records, is their use in financial identity theft, especially fraudulent insurance claims. That's the main motive for the attacker. What about the consequences? I wonder if this has or will start to have an affect on the patients. In other words, reluctance to seek care because the diagnosis won't remain private. Maybe it would also cause an increase in people seeking, so called, alternative medicine where they don't have to standardize records and put them online as HIPAA requires.

  16. And the real cuprit is... by Anonymous Coward · · Score: 0

    Obamacare

  17. So How Do We get Access to the Stolen Data? by Anonymous Coward · · Score: 0

    So How Do We get Access to the Stolen Data? I need to hire some people. And I want to avoid getting people that have health problems.

  18. A bit short on the technical details .. by DougPaulson · · Score: 1

    Does anyone have any details as to how this data breach was achieved and what platform Premera Blue Cross computer system runs on?

  19. Karma Irony , told you so by Anonymous Coward · · Score: 0

    # You thought I was PARANOID and crazy for wanting to create isolated networks,
      extreme ACLs , banning windows, javascript, attachments, building in-house
      javascript-free apps

    #
    # I TOLD you .

    1. Re:Karma Irony , told you so by praxis · · Score: 1

      Did you now? How do we know? You have not identified yourself, yet you wish to take credit for being right? How the fuck does that work? You might be right, but you certainly can't claim credit for it unless you are credited for it.

    2. Re:Karma Irony , told you so by HiThere · · Score: 1

      Just how does that protect you when someone else's computer holding records of your information is breached?

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  20. Re:Another reason not give SSN to healthcare provi by sjames · · Score: 1

    The whole concept of "identity theft" is daft. Nobody gets their identity stolen. They continue to be who they always were. What actually happens is that the bank gets defrauded and then the credit agencies commit libel. But our system of laws for some reason gives them a pass on that whole evidence thing that should stop them from harassing a third party (the so called victim of identity theft).

    The solution is actually simple. Require the banks to ACTUALLY present evidence before attempting to collect on a debt and nail the credit agencies to the wall when they publish disparaging credit information with zero evidence of it's accuracy (that is, with wanton disregard for the truth).

  21. Re:Another reason not give SSN to healthcare provi by Anonymous Coward · · Score: 0

    Exactly, why isn't incorrect information at a credit agency considered libel?

  22. Re:Another reason not give SSN to healthcare provi by sjames · · Score: 1

    I have no idea other than that they are a big financial institution and so get a pass from the old boy network. It certainly should be considered libel under current law.

  23. IT outsourcing may be the cause? by ErichTheRed · · Score: 1

    One thing I've noticed about these data breaches is that they happen at companies who don't really care that much about IT. Almost everywhere these days, IT departments in organizations like that have been outsourced. So the question is, does that extra layer of abstraction cause in-house staff to miss stuff?

    Let's assume the outsourcer is competent and doing an OK job. Even with that assumption, you now have another level that any IT change has to go through before it is implemented. Is it possible that the patch schedule takes so long to complete that key system vulnerabilities sit around for months while ITIL and friends approve the approval process to kickoff the change control meeting, notify all stakeholders, have meetings to schedule change planning meetings, etc. etc. etc.? (You can tell I've been on both sides of this fence...) It gets so bad that staff sometimes try to avoid making necessary changes because they don't want to fill out 2 hours' worth of ITIL paperwork.

    The other problem is that outsourcing inserts another layer that has to make money. I guarantee you that the best and brightest are not working for outsourcers for the most part, and they squeeze every single nickel out of every process and employee. We'll see what the security consultants dig up on this one, but I'll bet it has something to do with this.

  24. Re:Another reason not give SSN to healthcare provi by Cro+Magnon · · Score: 1

    You picked up a clue with the words 'half-wit'.

    Absolutely this!!! My SSN is an ID. It's not a damn password, but too many half-wits treat it as such.

    --
    Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  25. OT. Read as... by Anonymous Coward · · Score: 0

    I read this "As an asian, I'd love to know the actual technical aspects..."

    Stereotypes. I'm allowed to chuckle about it because I'm Asian. However, if any white people laugh, I will howl racism and sue the shit out of you.

  26. fix it.... by Anonymous Coward · · Score: 0

    get this type of data off the fucking internet. simple.

    medical records of any and all kinds (except perhaps for your pets and livestock) have NO PLACE on the internet or on an internet-accessible network.

  27. the company 'suffered' by swell · · Score: 1

    The summary says "Premera Blue Cross has suffered a data breach". But have they suffered? No doubt there will be lawsuits that drag on for years, but how much will this cost them in relation to their overall wealth and income? And how many executives will lose their bonus for the year (of course none will be fired)? Where and how exactly are they suffering? Has any company or executive ever paid a substantial penalty for losing identity data? Perhaps the penalty is having to distribute donations to their congress people who will protect them from prosecution.

    --
    ...omphaloskepsis often...
    1. Re:the company 'suffered' by Anonymous Coward · · Score: 0

      what's the point to penalties where consumer prices just escalate to make up for the extra expense? jail time for executives in charge, stock delisting, loss of licenses to underwrite policies.... now those are penalties...