Premera knew systems were vulnerable prior to attack

An audit report received by Premera three weeks before the Mountlake Terrace, Washington-based health payer's systems were breached warned of looming network security issues. The health insurer revealed this week that a "sophisticated cyberattack" led to the personal information for 11 million customers to be put at risk.

The report, sent by the U.S. Office of Personnel Management's Office of the Inspector General to Premera on April 18, 2014, outlined several vulnerabilities, including:

  • A lack of timely patch implementations
  • Lack of methodology to "ensure that unsupported or out-of-date software is not utilized"
  • Insecure server configurations

Premera's systems initially were breached on May 5, 2014, but were not detected until Jan. 29 of this year.

The final report was published publicly in November 2014.

OPM made several recommendations to Premera, based on the report's findings, including:

  • Reconfiguration of the company's information systems
  • Implementation of procedures and controls to update production servers in a timely manner
  • Implementation of procedures to implement supported software systems
  • Routine audits to all security settings

OPM also called on Premera to improve the physical access controls at its data center, recommending "multi-factor authentication" for access to the computer room.

"Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached," the report stated. In addition, OPM said failure to remove outdated software "increases the risk of a successful malicious attack on the information system."

Premera told OPM it would resolve its issues by Dec. 31, 2014.

The Health Information Trust Alliance announced Thursday that it published reports that included threat indicators of suspicious activity associated with Premera on Feb. 20 of this year. According to HITRUST, there is early speculation that this breach is tired to "threat actor Deep Panda," who also was linked to a recent Anthem breach.

"HITRUST is continuing to monitor the Premera situation and will continue to distribute information as it becomes available, and work with the industry to disseminate any findings and lessons learned that can help other organizations better prepare and respond to these types of cyber incidents," the announcement said.

To learn more:
- read the OPM report (.pdf)
- here's the HITRUST announcement