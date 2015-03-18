(Adds Starbucks comment)
By Jim Finkle
BOSTON, March 17 Health insurer Premera Blue
Cross said on Tuesday it was a victim of a cyberattack that may
have exposed medical data and financial information of 11
million customers, in the latest serious breach disclosed by a
healthcare company.
Premera said the attackers may have gained access to claims
data, including clinical information, along with banking account
numbers, Social Security numbers, birth dates and other data in
an attack that began in May 2014.
It is the largest breach reported to date involving patient
medical information, according to Dave Kennedy, an expert in
healthcare security who is chief executive of TrustedSEC LLC.
About 6 million of the people whose accounts were accessed
are residents of Washington state, where customers include
employees of Amazon.com Inc, Microsoft Corp
and Starbucks Corp, according to Premera. The rest are
scattered across every U.S. state.
The insurer said it has so far uncovered no evidence to show
that member data was "used inappropriately."
Medical records are highly valuable on underground criminal
exchanges where stolen data is sold because the information is
not only highly confidential but can also be used to engage in
insurance fraud.
"Medical records paint a really personal picture of
somebody's life and medical procedures," Kennedy said. "They
allow you to perpetrate really in-depth medical fraud."
A Starbucks spokesman told Reuters that Premera notified the
coffee chain on Tuesday that Starbucks may have been affected by
the attack. A representatives from Amazon did not respond to
requests for comment, and a representative at Microsoft declined
comment.
Although a breach at Anthem disclosed earlier this year and
another large one disclosed last year by hospital operator
Community Health Systems Inc involved larger numbers of
records, those companies said they believed the attackers did
not access medical information.
The Premera breach was uncovered on Jan. 29, the day that
insurer Anthem Inc disclosed a cyber attack involving
records of some 79 million members in Blue Cross Blue Shield
plans across the country.
Premera spokesman Eric Earling said the two attacks were
unrelated and that his company independently identified its
breach.
Still, experts expect that other healthcare companies will
find that they have been breached as the latest attack prompts
them to look for intrusions.
"I think other insurance providers are compromised today and
we still don't know it. More and more are going to disclose
attacks," Kennedy said.
Premera hired FireEye Inc to investigate the matter
and is also working with the FBI.
The attack affected Premera Blue Cross, Premera Blue Cross
Blue Shield of Alaska, and affiliated brands Vivacity and
Connexion Insurance Solutions.
