Premera Blue Cross, a major non-profit health care service provider disclosed late yesterday that the company has suffered an unauthorized intrusion on its networks that may have resulted in the breach of financial and medial records of some 11 million customers. Though the source of the attack has yet to be disclosed, researchers indicate that the intrusion is the work of a state-sponsored espionage group based out of China.
In a statement released Tuesday, the company created a website to help share information regarding the breach premeraupdate.com, where the company notes they learned of the breach January 29, 2015. Premera continued on to say the investigation revealed the initial attack occurred back in May 5, 2014, and affected records dating back as far as 2002.
The Premera Blue Cross breach also affected other brands under the company, including Premera Blue Cross Blue Shield of Alaska, affiliate brands Vivacity and Connexion Insurance Solutions. The company continued on to state:
“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.”
“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.”
Premera said to notify all affected customers they will be doing so through postal mail, where they will be offering two free years of credit monitoring, identity theft protection and identity theft insurance. The credit monitoring services will be provided through big-three credit bureau Experian.
“I recognize the frustration that the news of this cyberattack may cause,” Jeff Roe, Premera President and CEO said speaking on the breach. “The privacy and security of our members’ personal information is a top priority for us. As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward.”
The health care provider said they are working with security firm Mandiant and federal law enforcement to investigate the Premera Blue Cross breach. Mandiant security firm specializes in tracking and preventing attacks from state-sponsored hacking groups, especially attacks based in mainland China.
According to KrebsonSecurity, an official within the FBI Seattle field office confirmed the agency is helping Premera Blue Cross investigate the breach, but declined to discuss details this early on, stating “the ongoing nature of the investigation.”
“Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI continued in their email.
Strong evidence suggests the Premera Blue Cross breach may be tied to the same hackers that broke into health insurer Anthem, stealing some 78 million Americans data.
Chinese state-sponsored hacking group known through their number of aliases including “Deep Panda,” “Axiom,” “Group 72,” and “Shell_Crew” began attacking Anthem’s security late April. Evidence came from researchers who tied the Deep Panda hacking to a domain called we11point[dot]com (Anthem was previously known as Wellpoint prior to their corporate name change in 2014.)
In a story from ThreatConnect security firm, the company tied a Wellpoint look-alike domain to a series of targeted attacks launched by China in May 2014 aimed at tricking Wellpoint employees into downloading malicious software operated by the Deep Panda hacking group.
The firm published more data on the hacking group tieing them to another domain called prennera[dot]com (double N appears to mimic the letter M).
“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” Threatconnect wrote three weeks prior to the Premera Blue Cross disclosure.
The company has noted the investigation is ongoing.