The Washington PostDemocracy Dies in Darkness

Cyberattack at health insurer exposed data on 11 million customers — including medical information

Placeholder while article actions load

Premera Blue Cross, a health insurer based in the Seattle suburbs, announced Tuesday it was the victim of a cyberattack that may have exposed the personal data of 11 million customers — including medical information.

The company said it discovered the attack on Jan. 29 but that hackers initially penetrated their security system May 5, 2014. The attack affected customers of Premera, which operates primarily in Washington, Premera's Alaskan branch as well as its affiliated brands Vivacity and Connexion Insurance Solutions, according to a Web site created by the company for customers. "Members of other Blue Cross Blue Shield plans who have sought treatment in Washington or Alaska may be affected," according to the site.

The company said its investigation has not determined if data was removed from their systems. But the information attackers had access to may have included names, street addresses, e-mail addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, medical claims information and bank account information, according to the company's Web site. The company said it does not store credit card information.

According to a message on the company's Web site from Premera President and chief executive Jeff Roe, the medical claims data accessible to the attackers included "clinical information."

"This is potentially one of the largest breaches that has ever been reported involving health-care information," said Dave Kennedy, the chief executive of TrustedSEC and an expert on health-care security.

The company is offering two years of free credit monitoring and identity theft protection services to those affected by this incident. Premera is currently working with cybersecurity company Mandiant to investigate the breach, as well as law enforcement.

"The FBI is investigating the Premera cyber intrusion and is working with the victim company in order to determine the nature and scope of this incident," FBI spokesman Joshua Campbell told The Post.

News of the Premera hack comes just two months after Anthem, a fellow Blue Cross Blue Shield associated company and the second largest insurer in the country, announced a cyberattack resulted in the data breach affecting tens of millions of customers.

But in that case, hackers are not believed to have obtained medical information, making the breach of Premera particularly concerning for consumers.

Health-care companies have become attractive to hackers because of the premium paid on the black market for insurance credentials. A complete health insurance credentials cost ten to twenty times more than a credit card numbers with security code on underground black markets in 2013, according to Dell SecureWorks. The information can be used for identity theft, but also medical fraud such as purchasing expensive medical equipment or obtaining pricey medical care. This type of fraud often takes longer to detect, security experts have said.

"We sincerely regret the frustration and concern this incident may cause. The security of our members’ personal information is a top priority," Roe, Premera's chief executive, said in a message on the company's Web site.

Ellen Nakashima contributed reporting.