News Feature | March 19, 2015

Premera Data Breach Could Impact Millions

Christine Kern

By Christine Kern, contributing writer

Government IT News For VARs — December 10, 2014

Healthcare’s latest data breach once again highlights the need for heightened attention to data security.

Premera Blue Cross announced earlier this week that hackers had gained unauthorized access to their IT systems in a security breach dating back to 2002 that will affect up to 11 million customers. According to Premera, an investigation revealed an initial malware attack dating to May 5, 2014 which went undetected until January 29, 2105.

Eric Earling, vice president of corporate communications, defended the company’s decision to remain mum regarding the breach until now, telling King5 News the company had to “make sure the IT systems are secured and protected before an announcement is made. We were advised that these types of cyber attackers will engage in even more malicious activity if you make an announcement before you secure IT systems.”

Premera officials have said hackers may have gained access to claims data, clinical information, bank account numbers, Social Security numbers, birth dates, and other data. The Premera statement asserts there is no evidence any breached information has been used inappropriately.

Dave Kennedy, chief executive of TrustedSEC and a healthcare security expert, told The New York Times this is the largest breach of patient medical information reported to date. Although the recent Anthem breach and the 2014 breach of Community Health Systems each involved larger numbers of records than the Premera attack, those earlier attacks are not believed to have violated medical information.

The breach affects users of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and Vivacity and Connection Insurance Solutions. About six million of the people whose accounts were affected are residents of Washington State where customers include employees of, Microsoft, and Starbucks, according to Premera. The rest are scattered across the United States.

Krebs on Security weighed in on the breach, writing, “Although Premera isn’t saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.” On February 27, 2015, ThreatConnect researchers found links connecting the same threat actors suspected in the Anthem breach to a possible attack against Premera using a domain called

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.