Hack on Premera Blue Cross exposes 11M customer records

Names, birthdates and Social Security numbers were exposed in the latest security breach at a health industry organization.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Premera Blue Cross estimates as many as 11 million current and former customers may be affected by the cyberattack. CNET

A recently discovered cyberattack on health insurance provider Premera Blue Cross last year may have exposed the medical data and financial information of 11 million customers, the company revealed Tuesday, the latest security breach at a health industry organization.

Hackers gained unauthorized access to customers' personal information, including names, birthdates, Social Security numbers, and claims information during the May 2014 intrusion, said Premera, a health benefits provider in the Pacific Northwest. Other information exposed included bank account information, email addresses and telephone numbers, Premera said.

The breach was discovered January 29, just days before Anthem, the No. 2 health insurer in the US, revealed that it was the victim of what may be the largest ever data breach involving a US health insurer. Anthem said the attack on its servers compromised the unencrypted personal information such as names, dates of birth, member IDs, and Social Security numbers for as many as 80 million current and former members and employees.

Premera said it is working with the FBI to investigate the attack but said it has not yet determined whether any information was removed from the servers or "used inappropriately." The customer information that may have been compromised dates as far back as 2002, Premera said.

It was not immediately clear whether the information exposed in Premera's hack was encrypted. Under the federal Health Insurance Portability and Accountability Act (HIPAA), health insurance companies are not required to encrypt the data stored on their servers.

Premera did not immediately respond to a request for comment.

The combination of sensitive customer information held by health care organizations - especially Social Security numbers -- make them particularly attractive to hackers looking to steal identities.

Law enforcement began warning health care industry companies last year that they may face an increased risk of data breach attacks. Following a hack on US hospital group Community Health Systems in August, the FBI issued a flash warning to companies that it had observed "malicious actors targeting healthcare related systems," perhaps for the purpose of obtaining health care information or personal identification information, according to Reuters.

The security breach affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliated brands Vivacity and Connexion Insurance Solutions.