FOX Business has obtained a federal audit of Premera Blue Cross’s cybersecurity in which the federal government warned Premera that it was at risk of a cyber attack on April 17, 2014, weeks before the health insurer was hacked. Premera’s cyber attack occurred on May 5, 2014 but was discovered in late January of this year.
Cyber hackers stole data for 11 million current and former customers, for some customers as far back as 2002, including names, dates of birth, Social Security numbers, addresses, bank-account information and claim information, as well as clinical information. Customers are now at risk of identity theft, bank fraud, tax fraud and medical-identity fraud. Premera has indicated it is still unclear as to how exactly hackers got into its computer infrastructure.
Because Premera is in the Federal Employees Health Benefits Program, and in turn handles claims for federal workers, the inspector general for the federal Office of Personnel Management did a sweeping cyber audit and found Premera was allowing weak passwords, and was using software “so old that they were no longer supported by the vendor and had known security problems,” among other things. Premera agreed to investigate the issues noted in the audit, the document indicates.
Specifically, OPM’s auditors warned that several servers contained “insecure configurations” that could let hackers in the door. “Several servers contained insecure configurations that could allow hackers or unprivileged users to insert code that would result in privilege escalation,” the report said. “The escalated privileges could grant the hackers unauthorized access to sensitive and proprietary information.”
The OPM audit added: “Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached.” It also warned: “Failure to remediate vulnerabilities increases the risk that hackers could exploit system weaknesses for malicious purposes.”
The inspector general for the Office of Personnel Management said Premera needed better controls over its computer systems, and gave it ten recommendations to fix its computer security.
Premera Blue Cross is now battling five class-action lawsuits which allege negligence, violations of state consumer protection laws, and failure to disclose the hack to customers in a timely fashion, among other issues.
Three states are also investigating, Washington, Oregon and Alaska. Sen. Patty Murray (D-Wash.), the top Democrat on the Senate Health, Education, Labor and Pensions Committee, has sent Premera a letter requesting information about the hack, including an explanation for the delays in notifying customers. Premera responded that the outside security consultant it hired to investigate the breach, Mandiant, recommended against notifying customers or media “before the scope of the intrusion was determined” and in advance of ensuring its systems were secure, because notification “would alert the attackers and could prompt them to download sensitive information” and “further embed themselves in the system or otherwise do further harm to both Premera and its members,” Premera CEO Jeffrey Ross said.
Premera says it has contacted affected customers and that it would offer two years of no-cost credit monitoring as well as identity theft protection. In addition, the company has launched a call center and a website to deliver information about the hack.