Premera says data breach may affect 11 million consumers

[Editor's note: This article has been updated with additional information and to clarify that although Premera will not send emails to affected members, it will alert them by letter.]

Premera Blue Cross admitted yesterday that hackers gained access to the personal information of millions of customers.

Although the insurer didn't indicate how many members were affected by the breach, the Wall Street Journal reported it involved approximately 11 million customers.

The "sophisticated attack" initially occurred May 5, 2014, but it was not detected by the Washington-based insurer until Jan. 29 of this year, Premera said on a website it set up to inform members about the incident.

Affected information may include members' contact information as well as Social Security numbers, member identification numbers, medical claims information and bank account information, the insurer said. 

Premera spokesman Eric Earling told the Journal that the data was encrypted and obtained by hackers who had gained "unauthorized access" to the insurer's IT systems. The data that hackers accessed dates back to 2002.

Earling told the Journal that he could not speak about the origin of the attack, which remains under FBI investigation. "There is no evidence that any data was removed from the system and no evidence any data was used inappropriately," Earling said.

The insurer said the incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska and its affiliate brands Vivacity and Connexion Insurance Solutions. In addition, the incident affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska. The insurer's employer clients include Fortune 500 companies Microsoft and Starbucks.

The Premera hack comes just weeks after national insurer Anthem Inc. announced that hackers obtained unencrypted data on nearly 80 million individuals. Both hacks show that unauthorized access to member information remains a problem for health insurers, FierceHealthIT previously reported.

Earling told the Journal that Premera believes its breach and the Anthem breach were "different cyberattacks."

Premera said on its website that affected individuals will receive letters in the mail notifying them of the breach. The insurer said it will not email affected individuals and encouraged those people to be on the lookout for spam and phishing emails claiming to be from Premera. Affected individuals will receive two years of free credit monitoring and identity theft protection services through Experian.

In a statement, Washington state Insurance Commissioner Mike Kreidler said his office will be "closely monitoring" Premera's response to the cyberattack and requesting that all insurers operating in the state "review their own cybersecurity and take appropriate measures to protect their enrollees' personal data."

For more:
- read the Wall Street Journal article
- visit the Premera Update website
- read the insurance commissioner's statement

Related Articles:
Cybersecurity: How health executives handle growing privacy threats [Special Report]
Anthem hack: Employee access, not encryption, the problem
8 best practices for payer data security
Security experts on Anthem breach: The biggest threat lurks inside your company
Anthem hack compromises info for 80 million customers