Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members. Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska. Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015. According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.
Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach. The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity. The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack. Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates. Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.
Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people. As these attacks illustrate, health information is now a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims. Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”
Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security. The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach. The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA. The Complaint also alleges violations of state consumer protection laws and data disclosure laws.
As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.