Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Medicine Privacy

Personal Healthcare Info of Over 11M Premera Customers Compromised 69

An anonymous reader writes: U.S. healthcare provider Premera Blue Cross has suffered a data breach that resulted in a potential compromise of personal, financial and health-related information of as many as 11 million applicants and members. The breach was detected on January 29, 2015, and the investigation mounted by the company and by forensic investigators from Mandiant has revealed that the initial attack happened on May 5, 2014. The FBI has also been notified, and is involved in the investigation."
This discussion has been archived. No new comments can be posted.

Personal Healthcare Info of Over 11M Premera Customers Compromised

Comments Filter:
  • by the_skywise ( 189793 ) on Wednesday March 18, 2015 @10:06AM (#49283307)

    And they've compromised about 5% of the US population...

    • Re: (Score:3, Funny)

      by ColdWetDog ( 752185 )

      So, pretty much everyone with insurance?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Not 5%.

      The Anthem hack was 80 million people. This brings it to 91. That's 28% of the US population who have had their entire identity stolen.

      • My bad - the last number I recalled hearing was 25 million (including me)

      • Re: (Score:3, Insightful)

        Social Security numbers shouldn't be considered confidential. It should be impossible for financial services to use a person's SSN for any purpose for which they assume it is private or confidential.

        The government could neuter the whole issue by publishing everyone's SSN in a big digest. Names alongside SSNs.

        The SSN was never intended as anything but an index for the Social Security System. That financial institutions have instrumented it into being a 'secret' that people use to secure 'credit' should be

        • True... my old USAF dog tags have my SSN stamped onto them. Folks used to put their SSN on their checks alongside their name and address. Until recently, many states used your SSN as your drivers' license number.

          It was never, ever intended to be some secret passcode that unlocks your data, nor should it be. The sooner financial institutions (and credit reporting agencies!) stop using it, the better. The only thing I fear with doing so is that such institutions will demand more intrusive means of identifying

    • It's curious that they and Anthem discovered the breaches on the same day. I know coincidence doesn't prove a linkage, but still this seems a bit suspicious.

  • by hipsterdufus ( 42989 ) on Wednesday March 18, 2015 @10:19AM (#49283415)

    As an admin, I'd love to see the actual technical aspects of the breach. How did they get in? How did they compromise your security? How long were they in the system before being detected? How did you detect them? Were you logging information that did catch them, but some oversight caused that data to be missed? How do you KNOW they are out of the system without flattening the entire infrastructure?

    Knowing this data can help security professionals add more security layers to keep the evil-doers out of the network.

    • An admin, huh? With those sorts of questions, you are undoubtedly a criminal. Or someone who could become a criminal under certain circumstances and we can't have that.

      Please keep your hands away from your lap and the keyboard. We shall be with you in a moment.

    • How do you KNOW they are out of the system without flattening the entire infrastructure?

      Because we turned off the latest version of the PC Anywhere and Carbon Copy boxes that didn't use passwords to login. How else could they have entered the system? (Don't ask about the VLC box, we're still trying to locate it.)

    • I'm and admin as well and I find that in several months there will be an anatomy of the breach posted in several stories.

  • They don't need it
    They won't protect it
    They will share it
    They are not liable when it is stolen

    There is no upside for customer

    • by Anonymous Coward

      No choice. They'll get it anyways. My employer gave it to Aetna without my permission.

      I had a procedure done at a hospital recently. During registration, I glanced at the computer screen and they had my freakin drivers license photo! This was a private for-profit hospital and they have realtime access to the DMV database, so SSN should be easy.

    • by Anonymous Coward

      Good luck with that.

      Doctors offices are the most incompetent people when it comes to business.

      When I put up a fuss, there's always this "office manager' who insists they need it for "identification purposes".

      Medical is extremely careless with our information and when you try to take prudent precautions, they get all bitchy.

      Or as an ex-medical consultant friend of mine liked to say, "Doctors let their wives play office manager and the trouble is, doctors marry women who flunk out of beauty school."

    • by Dutch Gun ( 899105 ) on Wednesday March 18, 2015 @11:03AM (#49283875)

      I've heard about protecting your SSN nearly my entire life. Can anyone actually steal your identity with just your SSN? Given the world we live in nowadays, what sort of half-wit organization would consider your SSN some personal passcode that no one else should know? Frankly, I think we should just make them all public records, and then get over the asinine notion that we can use them as some sort of damned security code. As has been aptly demonstrated, it's not like we can really keep them secret for long anyhow. You're constantly forced to give it to strangers. What sort of "secret number" is that?

      Sorry, I'm not ranting at you. The inability of major corporations to keep customer data secret is really getting on my nerves. It's just ridiculous.

      • You picked up a clue with the words 'half-wit'.

        • You picked up a clue with the words 'half-wit'.

          Absolutely this!!! My SSN is an ID. It's not a damn password, but too many half-wits treat it as such.

      • by sjames ( 1099 )

        The whole concept of "identity theft" is daft. Nobody gets their identity stolen. They continue to be who they always were. What actually happens is that the bank gets defrauded and then the credit agencies commit libel. But our system of laws for some reason gives them a pass on that whole evidence thing that should stop them from harassing a third party (the so called victim of identity theft).

        The solution is actually simple. Require the banks to ACTUALLY present evidence before attempting to collect on

  • wow, first Anthem BCBS [11alive.com], and now Premera BCBS.
    • Actually Vice Versa. Premera got hacked long before Anthem; Anthem just didn't have nearly as much time between breach and releasing the fact to the public as Premera did.
  • Comment removed based on user account deletion
  • I for one am glad that there is no imminent danger [slashdot.org] from anyone compromising health information.
    • As an identity theft victim, this doesn't surprise me. The whole system is set up to protect the large companies from any liability should your personal information be misused and to place the burden on you to prove that it was indeed misused.

      Given that names, DOB, address, and SSN were likely breached - which together could be used to open credit lines in a person's name - my recommendation would be to freeze your credit if you were one of the affected. It's a pain because you can't open up any new lines

  • The main discussion on this breach, as well as others involving medical records, is their use in financial identity theft, especially fraudulent insurance claims. That's the main motive for the attacker. What about the consequences? I wonder if this has or will start to have an affect on the patients. In other words, reluctance to seek care because the diagnosis won't remain private. Maybe it would also cause an increase in people seeking, so called, alternative medicine where they don't have to standar
  • Does anyone have any details as to how this data breach was achieved and what platform Premera Blue Cross computer system runs on?
  • One thing I've noticed about these data breaches is that they happen at companies who don't really care that much about IT. Almost everywhere these days, IT departments in organizations like that have been outsourced. So the question is, does that extra layer of abstraction cause in-house staff to miss stuff?

    Let's assume the outsourcer is competent and doing an OK job. Even with that assumption, you now have another level that any IT change has to go through before it is implemented. Is it possible that the

  • The summary says "Premera Blue Cross has suffered a data breach". But have they suffered? No doubt there will be lawsuits that drag on for years, but how much will this cost them in relation to their overall wealth and income? And how many executives will lose their bonus for the year (of course none will be fired)? Where and how exactly are they suffering? Has any company or executive ever paid a substantial penalty for losing identity data? Perhaps the penalty is having to distribute donations to their co

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"

Working...