Premera Blue Breached, 11M Customers’ Information Exposed, Including Medical Records

Another U.S. health insurer has experienced a significant data breach. On Tuesday, Premera Blue Cross confirmed that it had been the victim of a cyberattack which may have exposed the private information belonging to its 11 million customers, including their bank account numbers, Social Security numbers, birth dates, emails, addresses, phone numbers, and even their claims and clinical information.

The company says that the attack began on May 5 of 2014, but it wasn’t discovered until January of this year. In a statement posted the insurer’s website, the incident is described as affecting Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions, Inc.

While the attackers may have gained unauthorized access, Premera says it has not determined that the data was removed from its systems, nor has it yet been found to have been used inappropriately. However, the company is offering all affected parties two years of free credit monitoring and identity protection services as a precaution, and warns potential victims that it won’t email them or make unsolicited phone calls regarding the incident.

Unfortunately for cyberhacking victims, other scammers often follow on attacks like this with their own attempts at extracting private data through phishing schemes and social engineering tactics – as was the case shortly after the Anthem data breach.

As you likely recall, in February 2015, the nation’s second-largest insurer Anthem also saw attackers steal the personal information belonging to likely tens of thousands of customers, and soon after, these same victims were targeted with various phishing schemes.

While Premera’s attack may have been smaller in scale than Anthem’s, which saw over 70 million members affected to Premera’s 11 million, experts speaking to Reuters are now saying that it’s the largest breach involving patient medical information. Neither Anthem or the hospital operator Community Health Systems, which was breached last year, believed their attackers had gained access to medical information, that is.

In addition, 6 million of the 11 million customers were Washington state residents, and include those working at a number of large businesses, including Amazon, Microsoft and Starbucks.

According to independent security expert Brian Krebs, the Premera breach may also be the work of state-sponsored espionage groups based in China, noting that Premera says it’s working with the FBI and security firm Mandiant following the attack. Mandiant specializes in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China,” writes Krebs, who was the first to make the Anthem-China connection. He says it appears that the same group blamed for Anthem’s breach may have targeted Premera customers as well, by hosting a misspelled domain name for the company where visitors would have been tricked into downloading malicious software.

Source: http://techcrunch.com/2015/03/18/health-insurer-premera-blue-breached-11m-customers-information-exposed-including-medical-records/

Categories: Cybercrime, hacking, PII, POPI | Tags: Cybercrime, cybersecurity, Hacked, hacking, PII, PoPI, SecureData | Permalink.

Health Insurance Provider Anthem Reports Massive Data Breach – 80m customer records

The nation’s second largest health insurer, Anthem, alerted its customers on Wednesday that hackers had stolen the personal information of likely tens of millions of customers.

Personal information including addresses, birthdays, medical identification numbers, social security numbers and some income data belonging to both current and former customers were swept up in the cyber attack, according to a statement from Anthem CEO Joseph Swedish. In somewhat of a silver lining, at this time the company does not believe the hackers stole any medical information or payment information.

He wrote the company is notifying members individually if their information was accessed.

“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” he wrote. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”

Swedish wrote the insurer has notified the FBI and has fully cooperated with their investigation. He added the company has also brought on cybersecurity firm Mandiant, the firm that exposed ongoing cyber attacks from the People’s Libertarian Army in 2013. Despite these efforts, the company has not yet identified the attacker.

USA TODAY reports the attack could impact up to 80 million Anthem customers, double the number of payment cards affected by the breach of Target last year.

Although this announcement feels all too familiar following the string of recent hacks on companies ranging from Sony to J.P. Morgan, the Wall Street Journal notes this breach differs from others because Anthem discovered the breach itself and notified the public quickly. Hopefully for consumers, this marks a shift in how companies will approach similar hacks in the future.

The hack affected a wide array of Anthem brands, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

The company has set up a website and a toll-free number (1-877-263-7995) for customers to access updates and ask questions related to the hack. The company will also provide a credit monitoring and identity protection service free of charge.

Source: http://techcrunch.com/2015/02/04/health-insurance-provider-anthem-reports-massive-data-breach/

Categories: Cybercrime, hacking, PII, POPI | Tags: Cybercrime, Hacked, PII, PoPI, SecureData | Permalink.

PoPI: Let’s get to work

The Protection of Personal Information (PoPI) Act was signed into law in 2013. It has been introduced to promote the protection of personal information and to finally provide South Africans rights over their data and who can access it.

One of my responsibilities at SecureData has been look into to implications of PoPI, what it’ll mean to our end users and how we might use the introduction of this act to drive the sales of technology through the channel.

Before seeing the act there was an assumption on my part that this was going to be a standard much like PCI that will dictate to business exactly how they should be protecting this sensitive data. Of course what we’ve got now is a piece of legislation which is far from that.

PoPI is largely about people and process. There is little or no direction provided as to the sort of technical controls that should be applied to protect personably identifiable information (PII). Certainly interpretation and implementation of the act will be different for every party and that is where we, as security thought leaders are aiming to add value to our resellers.

There’s still much we don’t know about how or even when PoPI will be enforced but for sure, every industry will be affected by PoPI so we need to be strongly emphasising that the time for actions is now.

The 1 year deadline is a giving business an excuse to delay implementing additional measures but we as trusted advisers, should be referring to the introduction of similar data protection laws in other regions. The UK Data Protection Act and the US HIPPA laws came with a three year lead in period for compliance and it is my opinion that the one year grace period provided by PoPI should not been seen as a reflection on its complexity to implement but rather as an urgency to bring all business in line with the rest of the world without further delay.

Rather than seeing it as a burden, we should be promoting and celebrating this piece of legislation. It finally provides South African’s a constitutional right to privacy and brings us in line with the data protection laws of the other developed nations and makes us a more appealing place for international companies to do business with.

The introduction of PoPI now simply provides an additional platform to address strong the Data Protection practices and systems that SecureData has already been promoting. Implementing such technical controls will not only transition businesses from a reactive security approach to a proactive risk management model but will also provide massive value to ensuring compliance with PoPI and the protection of PII.

Categories: Data Protection, Governance | Tags: Data, PII, PoPI | Permalink.