Protections offered as breach of 11 million records is revealed

On the same day the breach of up to 11 million records was announced, Premera Blue Cross and LifeWise Health Plan launched dedicated public websites offering free credit monitoring and identity protection services to anyone affected.

Members, employees and vendors can enroll online for the services as a precaution.

The Premera Blue Cross and LifeWise websites also contain video messages from Premera President and Chief Executive Officer Jeff Roe about follow-up actions the insurer is taking.

Premera’s and LifeWise's responses follow criticism of insurer Anthem in the wake of a breach that affected up to 78.8 million members and employees. Anthem announced the breach on January 27, 2015 and offered monitoring and protection resources, but was criticized for not providing details about how affected indivuals could access those resources.

On February 10, the Attorneys General of nine states sent Anthem Chief Executive Officer Joseph Swedish a letter expressing “alarm” at the company’s delay in communicating with members.

HiteFollowing a breach, insurers need to let members know how to directly access vendors for protective services, says Collin Hite, an Insurance Recovery Group partner at the law firm of Hirschler Fleischer, in Richmond, Virginia. The firm represents companies, including insurance companies, following data breaches.

The breach at Premera Blue Cross, based in the Pacific Northwest, occurred on May 5, according to the company, and wasn’t discovered until January 29. Members’ names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers, member ID numbers and bank account information may have all been compromised.

The information dates as far back as 2002 and affects users of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and Vivacity and Connection Insurance Solutions. Claims information, including clinical and personal information of people who did business with Premera, could also have been exposed.

LifeWise, headquartered in Mountlake Terrace, Washington, is sending letters to more than 250,000 patients whose personal information may have been hacked during a cyberattack that was detected in late January. The cyberattack affected LifeWise Health Plan of Washington, LifeWise Health Plan of Oregon and LifeWise Assurance Co. It also affected LifeWise Health Plan of Arizona, which no longer does business in that state.

Both insurers retained Mandiant, a cyber security firm in Alexandria, Virginia, to investigate. Mandiant also assisted in the Anthem cyberattack.

Grealish

“Managed healthcare executives need to realize that healthcare data is becoming the biggest target for cybercriminals,” say Gerry Grealish, chief marketing officer at Perspecsys, an enterprise cloud data protection solutions company.

The healthcare industry is “data rich,” adds Hite, allowing a cybercriminal to “get a history of an individual that’s so detailed that it may allow him to completely adopt the identity of that individual.”

According to research firm Forrester, the value of healthcare records far surpasses that of credit card information, selling on the black market from $20 for a single health record to more than $500 for a complete patient dossier.

“As such, executives must truly understand at a detailed level what systems house their data, internal and in external systems like clouds, and put the strongest data protection techniques in place to secure it,” Grealish says.

At this point, it is still too early to pinpoint what led to the Premera breach, says  Grealish. “However, given the size of the hack, with the data of 11 million customers affected, it is clear that the hackers used very aggressive techniques to execute on this breach.”

Security professionals need to a consider implementing a classic military battlefield technique of reducing the footprint of what needs to be defended, according to Grealish.

“Healthcare organizations who deploy encryption and tokenization solutions, which essentially ‘mask’ the parts of personally identifiable information and patient records, are able to dramatically reduce the number of systems where this sort of data is stored and processed ‘in the clear,’” he says.

“By removing the targeted data from the majority of internal as well as external systems, such cloud-based software, cybercriminals are faced with an increasingly difficult task of trying to locate it in a usable form. In essence, they are trying to find the needle in the haystack. And if they were ever to locate it, they would find the needle itself is locked down and is under 24/7 monitoring.”