DON GONYEA, HOST:
Another big health insurance company has revealed it's been the target of a massive cyber-attack. Premera Blue Cross says hackers may have taken up to 11 million customer record. Those records include credit card numbers, social security numbers, even information about medical problems. Here to talk about this is NPR's Aarti Shahani. Hi, Aarti.
AARTI SHAHANI, BYLINE: Hi.
GONYEA: So the news is just coming up, but when did the actual breach happen?
SHAHANI: Premera says they discovered the breach on Jan. 29. That's about the same date that Anthem, another Blue Cross company, told the FBI that it was breached. So it's quite possible that Anthem put the word out, and given the timelines, the attacks were related - done by the same perpetrator - at least, that's an educated guess from one of my sources, the cybersecurity company iSight Partners. Also, Premera says the attack itself started in March of last year, but iSight found a suspicious domain - an address that may have been meant to spoof the Premera website - that was created back in December of 2013. Either way, that's many, many months to steal people's data.
GONYEA: OK, so there's all of this stolen data. I know you've reported previously about the black market for credit cards and health records. Are we expecting the same thing here?
SHAHANI: Well, we're probably not going to see a bunch of for-sale signs this time - or at least that's according to my sources who hang out in the underground. Healthcare data can be more valuable than credit card data on the black market, but so far, again, according to the sources, the Anthem data has not shown up on the underground sites - and Premera may not either. It could be that the hackers are not run-of-the-mill criminals, but they're in it for cyber-espionage.
GONYEA: OK, you said cyber-espionage. What are you talking about? I mean, spies?
SHAHANI: Well, it's possible that a nation-state actor is involved. The healthcare companies are huge providers with lots of government workers. So say I want intel on Department of Defense employees - where they live, their spouses' names, serious or embarrassing medical conditions. This breaches a way to stockpile that data and use it for blackmail later. So the point of espionage is information gathering. You don't go sell and lose your leverage on the market.
GONYEA: Is Premera alerting other healthcare companies to watch out? Are they giving out details on just what happened to them?
SHAHANI: NPR has asked Premera and the FBI. And so far, neither has immediately responded to our inquiry. There is another group - an Information Sharing and Analysis Center for healthcare providers. They help share breach information. They tell me they've been talking to the private investigators and the federal ones handling the case, and so far, the specific ways that Premera was attacked, like the IP addresses used, where the attacks came from, specific malware - they haven't been declassified and shared with other potential targets yet. No.
GONYEA: So we're talking up to 11 million people who may be affected here. What is Premera doing to protect the victims?
SHAHANI: They say they're offering two years of free credit monitoring. It's the same kind of protection that retailers and financial institutions have given victims of credit card hacking. But if the point of this theft is altogether different - that is, espionage - then identity monitoring doesn't really help you in the end.
GONYEA: NPR's Aarti Shahani on news of yet another cyber-attack of a health insurer. Thanks, Aarti.
SHAHANI: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.