By Anna Wilde Mathews and Danny Yadron
Health insurer Premera Blue Cross said hackers gained access to
the personal information of around 11 million consumers, including
bank account and clinical data for some.
Premera, a Washington state-based not-for-profit, said it
detected the breach on Jan. 29, but the incursion may have
initially occurred last May. The records exposed could include
names, birthdays, Social Security numbers and addresses, as well as
bank-account information and health data from claims paid by the
insurer, said Eric Earling, a Premera spokesman.
Premera's employer clients include Microsoft Corp. and Starbucks
Corp. A Microsoft spokeswoman declined to comment. A spokesman for
Starbucks said Premera had notified it about the attack and "that
we and several other companies may have been impacted."
The announcement is likely to draw further attention to the
potential vulnerability of health companies to such intrusions.
Last month, health insurer Anthem Inc. disclosed a hacker incursion
that exposed the information of approximately 78.8 million people.
Last year, hospital operator Community Health Systems Inc. revealed
a breach that involved records on 4.5 million consumers.
Investigators are still trying to determine who was behind the
Premera breach. But some, as they did in the Anthem breach, see
links to China based on the hacking software used, two people
familiar with the matter said. Another point they note: None of the
data from Anthem or Premera has shown up on Internet black markets
used by identity thieves.
This has promoted a theory in private security and government
circles that the Chinese are harvesting personal data on Americans
whom they could target in spying operations. That opinion is based
only on hypotheses, though, these people said. Community Health
also pointed to potential Chinese sources in its incursion.
A Chinese Embassy spokesman, Zhu Haiquan, said "Chinese laws
prohibit cyber crimes of all forms," and international hacking
attacks are "hard to track and therefore the source of attacks is
difficult to identify." He said that "jumping to conclusions...is
not responsible and counterproductive."
Mr. Earling said Premera couldn't speak about the origin of the
attack because the attack is the subject of a Federal Bureau of
Investigation probe. He said so far "there is no evidence that any
data was removed from the system and no evidence any data was used
inappropriately." In a statement, the FBI said it was
investigating.
Anthem spokeswoman Kristin Binns said Tuesday that to date,
"there is no evidence to indicate our members' data has been used
inappropriately as a result of this attack. We have no evidence at
this time that fraud has occurred."
The Premera breach shows some possible links to the Anthem
incident, though it remains unclear if they were the work of the
same hackers, according to the two people familiar with the
matter.
After the Anthem breach became public, security researchers at
various companies looked at the digital signatures used in the
Anthem malware. Security researchers amass huge databases of
hacking software, and when they queried the signature used in the
Anthem malware, they found it was also used on another piece of
malicious software that connected to the odd Web address
prennera.com, which appeared to be a deliberate misspelling of
premera.com, according to ThreatConnect Inc., a Washington-area
cybersecurity company that has written on the Anthem breach.
The website was registered in December 2013, according to
Internet registration records viewed by ThreatConnect.
Premera believes its breach and Anthem's were "different
cyberattacks," Mr. Earling said.
Premera's data was encrypted, Mr. Earling said, but the
attackers "gained unauthorized access to our systems, thus allowing
them to potentially access personal information." The information,
which goes back to 2002, includes data for Premera customers and
former customers, as well as its own employees and others such as
vendors. People could also be affected if they are members of other
Blue Cross and Blue Shield plans and accessed health care in
Premera's service area of Washington state and Alaska.
Mr. Earling said Premera discovered the breach along with
FireEye Inc.'s cybersecurity unit Mandiant, which is now helping to
investigate.
Washington's insurance commissioner, Mike Kreidler, said in a
statement that he was "concerned...it took approximately six weeks
to notify my office" about the attack after its detection.
Premera's Mr. Earling said the insurer was "strongly advised by
experts it was important to complete the investigation and secure
our systems" before making the attack public.
Write to Anna Wilde Mathews at anna.mathews@wsj.com
Access Investor Kit for Community Health Systems, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US2036681086
Access Investor Kit for Starbucks Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US8552441094
Subscribe to WSJ: http://online.wsj.com?mod=djnwires