A recently discovered cyberattack on health insurance provider Premera Blue Cross last year may have exposed the medical data and financial information of 11 million customers, the company revealed Tuesday, the latest security breach at a health industry organization.
Hackers gained unauthorized access to customers' personal information, including names, birthdates, Social Security numbers, and claims information during the May 2014 intrusion, said Premera, a health benefits provider in the Pacific Northwest. Other information exposed included bank account information, email addresses and telephone numbers, Premera said.
The breach was discovered January 29, just days before Anthem, the No. 2 health insurer in the US, revealed that it was the victim of what may be the largest ever data breach involving a US health insurer. Anthem said the attack on its serverssuch as names, dates of birth, member IDs, and Social Security numbers for as many as 80 million current and former members and employees.
Premera said it is working with the FBI to investigate the attack but said it has not yet determined whether any information was removed from the servers or "used inappropriately." The customer information that may have been compromised dates as far back as 2002, Premera said.
It was not immediately clear whether the information exposed in Premera's hack was encrypted. Under the federal Health Insurance Portability and Accountability Act (HIPAA), health insurance companies are not required to encrypt the data stored on their servers.
Premera did not immediately respond to a request for comment.
The combination of sensitive customer information held by health care organizations - especially Social Security numbers -- make them particularly attractive to hackers looking to steal identities.
Law enforcement began warning health care industry companies last year that they may face an increased risk of data breach attacks. Following a Reuters.in August, the FBI issued a flash warning to companies that it had observed "malicious actors targeting healthcare related systems," perhaps for the purpose of obtaining health care information or personal identification information, according to
The security breach affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliated brands Vivacity and Connexion Insurance Solutions.