Personal Healthcare Info of Over 11M Premera Customers Compromised

An anonymous reader writes: U.S. healthcare provider Premera Blue Cross has suffered a data breach that resulted in a potential compromise of personal, financial and health-related information of as many as 11 million applicants and members. The breach was detected on January 29, 2015, and the investigation mounted by the company and by forensic investigators from Mandiant has revealed that the initial attack happened on May 5, 2014. The FBI has also been notified, and is involved in the investigation."

This plus Anthem (also Blue Cross)

[the_skywise]

And they've compromised about 5% of the US population...

Re:

[ColdWetDog]

So, pretty much everyone with insurance?

Re:

[ColdWetDog]

Because you have to be able to show you suffered a loss. No, and loss of privacy rarely counts (you need a really good lawyer to push that one). Not to worry, however - after some period of time and a few more breaches, the Class Action lawyers will crawl out of the woodwork and after a few more years, get some settlement from the various insurance companies that offers the lawyers a couple of million for them and free credit reporting for the Rest of Us.

By that time the SCO case will have finally been ad

Re:

[rogoshen1]

For the longest time i was in favor of nationalized healthcare; but now in the era of 'big data' (pardon the buzzword, my soul dies a little bit every time i say stuff like that) -- i'm not so sure.

Do the pros (lower cost, fewer people without coverage) outweigh the cons? (data breaches, loss of privacy, potential for governmental abuse, and/or sticking their snouts where they don't belong)

Seeing private companies suffer from lack of security, and the potential ramifications -- a government run 'insurance'

Re:

[xra]

Do youl file taxes with the IRS? Do you own a passport? The government already has plenty of your data. Healthcare won't change much.

Re:

[DarkOx]

Do youl file taxes with the IRS? Do you own a passport? The government already has plenty of your data. Healthcare won't change much.

Spoken like a true ACA apologist. Before that law went into effect, the 'data' the IRS or State Dept had on me was all largely discoverable through a few simple public records searches, and a beginners OSINT effort. Not all my salary would be hard to determine specifically, and my SSN might be moderately difficult to discover. Otherwise the IRS had name, address, phone, bank account numbers (anyone who has ever handled a check you have written has access to that), DOB (you probably share that on FaceSpac

Re:

[xra]

Do youl file taxes with the IRS? Do you own a passport? The government already has plenty of your data. Healthcare won't change much.

Spoken like a true ACA apologist.

Agreed, and this apologist enjoy very much his CANADIAN Universal Single Payer Health Insurance.

Re:

[dave420]

Even if there were data breaches left right and center, I'm sure that would be better than the cluster-fuck of healthcare in the US. As has already been pointed out, the government already has your data, so you'd lose nothing, but gain a lot of money, free time, and improved outcomes.

Re:

[sjames]

The government already has all of your data. It might as well use it for something actually helpful to you.

Private insurance has already created billing paperwork MORE complex than government billing, so no loss there.

The big difference is that the back end costs would be incurred by the one entity that has actual power to demand that medical suppliers quit ripping off their customers.

Re:

[dkman]

This.

How often do you hear about a government personal info data breach? The DMV, IRS, VA? Part of the problem is that the insurance companies are only interested in fleecing their customers for as much as possible. They're not interested in protecting your data, so it slips through their fingers. "Oopsie, sorry about that." is all we get.

The government, OTOH, is interested in data security. If there were a breach on that side the government also has the power to track you down and throw you in Gitm

Re:

[HiThere]

The problem is that the current "nationalized health care" wasn't designed to reduce the costs of the system, merely to increase coverage, which I will admit is a good point.

A decent system would have started by saying that insurance was a lousy model for any cost which you know will be incurred...and removed the insurance companies from the scam. That action alone would have cut the costs by probably 50%. Then it would have cut back tremendously on the paperwork. Get rid of all this "justification for p

Re:

[g0bshiTe]

Rights in America are now only for corporations.

Re:

[Anonymous Coward]

Not 5%.

The Anthem hack was 80 million people. This brings it to 91. That's 28% of the US population who have had their entire identity stolen.

Re:

[the_skywise]

My bad - the last number I recalled hearing was 25 million (including me)

Re:

[Bing Tsher E]

Social Security numbers shouldn't be considered confidential. It should be impossible for financial services to use a person's SSN for any purpose for which they assume it is private or confidential.

The government could neuter the whole issue by publishing everyone's SSN in a big digest. Names alongside SSNs.

The SSN was never intended as anything but an index for the Social Security System. That financial institutions have instrumented it into being a 'secret' that people use to secure 'credit' should be

Re:

[Penguinisto]

True... my old USAF dog tags have my SSN stamped onto them. Folks used to put their SSN on their checks alongside their name and address. Until recently, many states used your SSN as your drivers' license number.

It was never, ever intended to be some secret passcode that unlocks your data, nor should it be. The sooner financial institutions (and credit reporting agencies!) stop using it, the better. The only thing I fear with doing so is that such institutions will demand more intrusive means of identifying

Re:

[Jason Levine]

It's curious that they and Anthem discovered the breaches on the same day. I know coincidence doesn't prove a linkage, but still this seems a bit suspicious.

Full Disclosure, please?

[hipsterdufus]

As an admin, I'd love to see the actual technical aspects of the breach. How did they get in? How did they compromise your security? How long were they in the system before being detected? How did you detect them? Were you logging information that did catch them, but some oversight caused that data to be missed? How do you KNOW they are out of the system without flattening the entire infrastructure?

Knowing this data can help security professionals add more security layers to keep the evil-doers out of the network.

Re:

[ColdWetDog]

An admin, huh? With those sorts of questions, you are undoubtedly a criminal. Or someone who could become a criminal under certain circumstances and we can't have that.

Please keep your hands away from your lap and the keyboard. We shall be with you in a moment.

Re:

[Thud457]

Being an admin and being a witch are not mutually exclusive.
And both imply arcane knowledge that is beyond the reality of the mundane.
Either way, not somebody to be trifled with. Or trusted.

Re:

[stackOVFL]

And why do Admin's burn?????

Re:

[grep -v '.*' *]

How do you KNOW they are out of the system without flattening the entire infrastructure?

Because we turned off the latest version of the PC Anywhere and Carbon Copy boxes that didn't use passwords to login. How else could they have entered the system? (Don't ask about the VLC box, we're still trying to locate it.)

Re:

[CaptainDork]

I'm and admin as well and I find that in several months there will be an anatomy of the breach posted in several stories.

Re:

[g0bshiTe]

That could be true, but since passing of ACA we are now required to pretty much use exchanges what choices do we have?

In this case say my identity is compromised, I have recourse say it happens on the Fed exchange I will have zero recourse.

Another reason not give SSN to healthcare provider

[schwit1]

They don't need it
They won't protect it
They will share it
They are not liable when it is stolen

There is no upside for customer

Re:

[Anonymous Coward]

No choice. They'll get it anyways. My employer gave it to Aetna without my permission.

I had a procedure done at a hospital recently. During registration, I glanced at the computer screen and they had my freakin drivers license photo! This was a private for-profit hospital and they have realtime access to the DMV database, so SSN should be easy.

Re:

[Anonymous Coward]

Good luck with that.

Doctors offices are the most incompetent people when it comes to business.

When I put up a fuss, there's always this "office manager' who insists they need it for "identification purposes".

Medical is extremely careless with our information and when you try to take prudent precautions, they get all bitchy.

Or as an ex-medical consultant friend of mine liked to say, "Doctors let their wives play office manager and the trouble is, doctors marry women who flunk out of beauty school."

Re:Another reason not give SSN to healthcare provi

[Dutch Gun]

I've heard about protecting your SSN nearly my entire life. Can anyone actually steal your identity with just your SSN? Given the world we live in nowadays, what sort of half-wit organization would consider your SSN some personal passcode that no one else should know? Frankly, I think we should just make them all public records, and then get over the asinine notion that we can use them as some sort of damned security code. As has been aptly demonstrated, it's not like we can really keep them secret for long anyhow. You're constantly forced to give it to strangers. What sort of "secret number" is that?

Sorry, I'm not ranting at you. The inability of major corporations to keep customer data secret is really getting on my nerves. It's just ridiculous.

Re:

[ColdWetDog]

You picked up a clue with the words 'half-wit'.

Re:

[Cro Magnon]

You picked up a clue with the words 'half-wit'.

Absolutely this!!! My SSN is an ID. It's not a damn password, but too many half-wits treat it as such.

Re:

[sjames]

The whole concept of "identity theft" is daft. Nobody gets their identity stolen. They continue to be who they always were. What actually happens is that the bank gets defrauded and then the credit agencies commit libel. But our system of laws for some reason gives them a pass on that whole evidence thing that should stop them from harassing a third party (the so called victim of identity theft).

The solution is actually simple. Require the banks to ACTUALLY present evidence before attempting to collect on

Re:

[sjames]

I have no idea other than that they are a big financial institution and so get a pass from the old boy network. It certainly should be considered libel under current law.

First Anthem BCBS, now Premera

[thebryce]

wow, first Anthem BCBS [11alive.com], and now Premera BCBS.

Re:

[RavenLrD20k]

Actually Vice Versa. Premera got hacked long before Anthem; Anthem just didn't have nearly as much time between breach and releasing the fact to the public as Premera did.

Re:

[account_deleted]

Comment removed based on user account deletion

No Imminent Danger

[rfrenzob]

I for one am glad that there is no imminent danger [slashdot.org] from anyone compromising health information.

Re:

[Jason Levine]

As an identity theft victim, this doesn't surprise me. The whole system is set up to protect the large companies from any liability should your personal information be misused and to place the burden on you to prove that it was indeed misused.

Given that names, DOB, address, and SSN were likely breached - which together could be used to open credit lines in a person's name - my recommendation would be to freeze your credit if you were one of the affected. It's a pain because you can't open up any new lines

So HIPAA applies to ...

[CaptainDork]

... ???

Re:

[Anonymous Coward]

Only covered entities. I work for a company that sells health records, and HIPAA does not apply to us. We help companies make sure they don't hire employees with health problems.

Re:So HIPAA applies to ...

[Rougement]

Your company sounds completely evil.

Re:

[CaptainDork]

You're full of shit.

I'm in the legal profession and we just did a hell of a lot of work to silo HIPAA-related documents and exhibits to comply with the "Business Associate" part of this:

If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the [hhs.gov]

Medical Privacy

[Shadow IT Ninja]

The main discussion on this breach, as well as others involving medical records, is their use in financial identity theft, especially fraudulent insurance claims. That's the main motive for the attacker. What about the consequences? I wonder if this has or will start to have an affect on the patients. In other words, reluctance to seek care because the diagnosis won't remain private. Maybe it would also cause an increase in people seeking, so called, alternative medicine where they don't have to standar

A bit short on the technical details ..

[DougPaulson]

Does anyone have any details as to how this data breach was achieved and what platform Premera Blue Cross computer system runs on?

Re:

[praxis]

Did you now? How do we know? You have not identified yourself, yet you wish to take credit for being right? How the fuck does that work? You might be right, but you certainly can't claim credit for it unless you are credited for it.

Re:

[HiThere]

Just how does that protect you when someone else's computer holding records of your information is breached?

IT outsourcing may be the cause?

[ErichTheRed]

One thing I've noticed about these data breaches is that they happen at companies who don't really care that much about IT. Almost everywhere these days, IT departments in organizations like that have been outsourced. So the question is, does that extra layer of abstraction cause in-house staff to miss stuff?

Let's assume the outsourcer is competent and doing an OK job. Even with that assumption, you now have another level that any IT change has to go through before it is implemented. Is it possible that the

the company 'suffered'

[swell]

The summary says "Premera Blue Cross has suffered a data breach". But have they suffered? No doubt there will be lawsuits that drag on for years, but how much will this cost them in relation to their overall wealth and income? And how many executives will lose their bonus for the year (of course none will be fired)? Where and how exactly are they suffering? Has any company or executive ever paid a substantial penalty for losing identity data? Perhaps the penalty is having to distribute donations to their co