Another big health insurance company has revealed it has been the target of a massive cyberattack.
Premera Blue Cross says hackers may have taken up to 11 million customer records. Those records include credit card numbers, Social Security numbers, even information about medical problems. This news is just coming out but Premera issued a statement saying it discovered the breach on Jan. 29. That's about the same date that Anthem, another Blue Cross company, told the FBI that it was breached.
It's possible that Anthem put the word out and, given the timelines, the attacks were related — done by the same perpetrator. At least that's an educated guess from the cybersecurity company iSight Partners.
Premera also says the attack itself started in May of last year. But iSight found a suspicious domain called "prennera.com," an address that may have been made to spoof Premera's official website. It was created in December 2013.
Either way, that's many, many months to steal people's data. NPR has reported previously on the black market for credit cards and health records. Will a bunch of for-sale signs go up there? Probably not this time — or at least that's according to sources who hang out in the underground.
Health care data can be more valuable than credit card information on the black market. But so far, sources say, the Anthem data hasn't shown up on the underground sites. And Premera may not either. It could be that the hackers are not run-of-the-mill criminals, but in it for cyber-espionage.
Yes, cyber-espionage. As in spies. It's possible that a nation-state actor is involved.
Both health care companies are huge providers with lots of government workers. So if someone wants intel on Defense Department employees — where they live, spouses' names, serious (or embarrassing) medical conditions, a breach is a way to stockpile that data and use it for blackmail later.
As iSight malware analyst Brian Bartholomew says: "The sole purpose of espionage is to steal information, gain advantage. By publicizing, you're giving up the leverage you have."
NPR has asked Premera and the FBI whether they are alerting other health care providers to watch out or providing details other companies might benefit from. Neither has immediately responded to our inquiry.
There's another group called the National Healthcare ISAC (Information-sharing and Analysis Center) that helps to share breach information. They say they've been in contact with private investigators at Mandiant as well as federal investigators handling the case. So far, the specific ways that Premera was attacked — like the IP addresses the attacks came from or the specific types of malware — have not been declassified and shared with other potential targets.
Director Deborah Kobza says in an email, "It is only through coordinated sector and cross-sector cybersecurity information sharing, that we, as a nation, can move critical infrastructure cybersecurity protection from a reactive to proactive stance."
But what is Premera doing to protect victims — the up to 11 million people who may be affected here? Premera says it is offering two years of free credit monitoring. It's the same kind of protection that retailers and financial institutions have given victims of credit card hacking. But if the point of this theft is altogether different, espionage, then identity monitoring doesn't really help in the end.