On March 17, 2015, US health insurer Premera Blue Cross announced that it was the victim of a sophisticated cyber attack that exposed the medical and financial information of millions of customers. The company said that it was working with the FBI and the cyber security firm Mandiant as part of its investigations into the massive data breach.
The Details of the Attack
Premera is a Washington-based health insurance company that serves millions of people. It focuses on communities in Washington, Oregon, and Alaska, though it has customers in all 50 states. The attack affects Premera Blue Cross itself, along with its affiliated Vivacity and Connexion Insurance Solutions brands, and Premera Blue Cross Blue Shield of Alaska.
The attack, which occurred in May 2014 and was discovered in January 2015, may have exposed data from 11 million customers. Six million of those were residents of Washington state. Customers there include employees of companies like Amazon.com, Microsoft, and Starbucks. Among the stolen pieces of information were names, birthdates, email addresses, physical addresses, Social Security numbers, bank account numbers and medical information. In some cases, the stolen information dates back to 2002.
Premera is contacting people affected by the data breach and has set up a website where people can learn more about its actions in the aftermath of the attack. It has also created a dedicated call center for its members, and is promising 2 years of free credit monitoring and identity theft protection.
What Hackers Can Do With the Stolen Information
Medical information is highly valued on the black market. Such information is typically used for identity theft, and in turn, insurance and prescription fraud.
According to a cyber security expert quoted by Reuters, criminals sell stolen health credentials for 10-20 times the value of stolen credit card numbers. The FBI has reported that partial electronic health records (EHRs) are being sold for 50 times the value of stolen Social Security numbers or credit card numbers.
In addition to having a higher value, medical information also lasts longer than credit card numbers. This is because victims can cancel their credit cards, but cannot cancel their medical information. While stolen credit cards are only viable for a few weeks, thieves can use stolen medical information for months, and in some cases, years.
Personal and financial information was also stolen from Premera. This information can be used to steal tax refunds, break into bank accounts, open new credit card accounts, and secure loans in the names of the victims. Hackers can also use personal information in phishing attacks designed to manipulate targets into giving away their passwords. These passwords are then used to break into other accounts owned by the victims.
What Companies Can Do to Protect Their Data
Premera is only one of many companies that has recently fallen victim to cyber crime. In February 2015, health insurer Anthem Inc. announced that hackers had gained access to a database containing as many as 80 million records. Hackers also stole large amounts of data from several other major organizations last year, including Home Depot, Staples, JP Morgan Chase, Sony, Community Health Services, and the US Postal Service.
These incidents show that blindly following the reactive security practices of larger organizations can lead to trouble. Instead, companies must take a proactive approach to cyber security. Key components in developing a proactive cyber security approach include security training, disaster recovery plans, and cyber insurance coverage.
Ongoing security training is one of the most effective proactive measures an organization can take. Employees should be taught how to recognize basic techniques such as phishing, as well as how to spot fake emails and text messages.
A good disaster recovery plan is also an important proactive step. These plans provide a set of procedures on how to recover an IT infrastructure after an attack or other natural disaster.
Finally, companies may want to look into cyber insurance coverage. This insurance protects against the expense of being hacked and losing sensitive customer information. One in three companies has already purchased cyber insurance. According to the insurance brokerage firm Marsh LLC, last year alone saw a 20% increase in cyber insurance sold to retailers, hospitals, banks, and other companies.
A qualified IT specialist can help you develop a proactive approach within your own organization. Contact the Total Cover IT team to learn about the best ways to protect your company.