Another health insurer has fallen victim to hackers. Premera Blue Cross suffered a breach that may have affected upwards of 11 million consumers. The National Association of Insurance Commissioners (“NAIC”) announced that Washington Insurance Commissioner Mike Kreidler was coordinating the response. NAIC President Monica J. Lindeen stated in the announcement, “Events like this underscore the need for consumers to take immediate and ongoing action to protect personal information like passwords to bank accounts, credit card companies, health insurance accounts and any electronic database that contains sensitive, personal information.” In addition, “We urge insurance consumers to change passwords, check credit reports and carefully monitor all accounts that may contain sensitive information. State regulators are closely monitoring this attack, as well as the recent breach at Anthem, Inc.”
“Serious doubt has now been cast on the US government’s data security regulations after Premera Blue Cross was declared secure by Uncle Sam – just months before the healthcare giant was ransacked for financial and medical information by hackers.” Premera underwent a computer security audit by the United States Government’s Office of Personnel Management because the company, based in Washington, is a healthcare provider to government staffers under the Federal Employees Health Benefits Act. The two-month review spotted a couple of areas that needed addressing. However, the auditors noted in their final report, dated November 28, 2014, that despite “patch management policies and procedures”, “failure to establish and routinely monitor approved system configuration settings” and “failure to promptly install important updates,” thereby increasing the risk that vulnerabilities would not be remediated and sensitive data could be breached, Premera was compliant with the Health Insurance Portability and Accountability Act (HIPAA).
Hackers are increasingly targeting health insurance companies due to the immense value of the information held by these companies. Many times, the hacker(s) will sell the information to third-parties on the black market, who in turn use the information for illegal activities, e.g., identity theft and blackmail.