Another big health insurance company has revealed it has been the target of a massive cyberattack.

Premera Blue Cross says hackers may have taken up to 11 million customer records. Those records include credit card numbers, Social Security numbers, even information about medical problems. This news is just coming out but Premera issued a statement saying it discovered the breach on Jan. 29. That's about the same date that Anthem, another Blue Cross company, told the FBI that it was breached.

It's possible that Anthem put the word out and, given the timelines, the attacks were related — done by the same perpetrator. At least that's an educated guess from the cybersecurity company iSight Partners.

Premera also says the attack itself started in May of last year. But iSight found a suspicious domain called "prennera.com," an address that may have been made to spoof Premera's official website. It was created in December 2013.

Either way, that's many, many months to steal people's data. NPR has reported previously on the black market for credit cards and health records. Will a bunch of for-sale signs go up there? Probably not this time — or at least that's according to sources who hang out in the underground.

Health care data can be more valuable than credit card information on the black market. But so far, sources say, the Anthem data hasn't shown up on the underground sites. And Premera may not either. It could be that the hackers are not run-of-the-mill criminals, but in it for cyber-espionage.

Yes, cyber-espionage. As in spies. It's possible that a nation-state actor is involved.

Both health care companies are huge providers with lots of government workers. So if someone wants intel on Defense Department employees — where they live, spouses' names, serious (or embarrassing) medical conditions, a breach is a way to stockpile that data and use it for blackmail later.

As iSight malware analyst Brian Bartholomew says: "The sole purpose of espionage is to steal information, gain advantage. By publicizing, you're giving up the leverage you have."

NPR has asked Premera and the FBI whether they are alerting other health care providers to watch out or providing details other companies might benefit from. Neither has immediately responded to our inquiry.

There's another group called the National Healthcare ISAC (Information-sharing and Analysis Center) that helps to share breach information. They say they've been in contact with private investigators at Mandiant as well as federal investigators handling the case. So far, the specific ways that Premera was attacked — like the IP addresses the attacks came from or the specific types of malware — have not been declassified and shared with other potential targets.

Director Deborah Kobza says in an email, "It is only through coordinated sector and cross-sector cybersecurity information sharing, that we, as a nation, can move critical infrastructure cybersecurity protection from a reactive to proactive stance."

But what is Premera doing to protect victims — the up to 11 million people who may be affected here? Premera says it is offering two years of free credit monitoring. It's the same kind of protection that retailers and financial institutions have given victims of credit card hacking. But if the point of this theft is altogether different, espionage, then identity monitoring doesn't really help in the end.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

DON GONYEA, HOST:

Another big health insurance company has revealed it's been the target of a massive cyber-attack. Premera Blue Cross says hackers may have taken up to 11 million customer record. Those records include credit card numbers, social security numbers, even information about medical problems. Here to talk about this is NPR's Aarti Shahani. Hi, Aarti.

AARTI SHAHANI, BYLINE: Hi.

GONYEA: So the news is just coming up, but when did the actual breach happen?

SHAHANI: Premera says they discovered the breach on Jan. 29. That's about the same date that Anthem, another Blue Cross company, told the FBI that it was breached. So it's quite possible that Anthem put the word out, and given the timelines, the attacks were related - done by the same perpetrator - at least, that's an educated guess from one of my sources, the cybersecurity company iSight Partners. Also, Premera says the attack itself started in March of last year, but iSight found a suspicious domain - an address that may have been meant to spoof the Premera website - that was created back in December of 2013. Either way, that's many, many months to steal people's data.

GONYEA: OK, so there's all of this stolen data. I know you've reported previously about the black market for credit cards and health records. Are we expecting the same thing here?

SHAHANI: Well, we're probably not going to see a bunch of for-sale signs this time - or at least that's according to my sources who hang out in the underground. Healthcare data can be more valuable than credit card data on the black market, but so far, again, according to the sources, the Anthem data has not shown up on the underground sites - and Premera may not either. It could be that the hackers are not run-of-the-mill criminals, but they're in it for cyber-espionage.

GONYEA: OK, you said cyber-espionage. What are you talking about? I mean, spies?

SHAHANI: Well, it's possible that a nation-state actor is involved. The healthcare companies are huge providers with lots of government workers. So say I want intel on Department of Defense employees - where they live, their spouses' names, serious or embarrassing medical conditions. This breaches a way to stockpile that data and use it for blackmail later. So the point of espionage is information gathering. You don't go sell and lose your leverage on the market.

GONYEA: Is Premera alerting other healthcare companies to watch out? Are they giving out details on just what happened to them?

SHAHANI: NPR has asked Premera and the FBI. And so far, neither has immediately responded to our inquiry. There is another group - an Information Sharing and Analysis Center for healthcare providers. They help share breach information. They tell me they've been talking to the private investigators and the federal ones handling the case, and so far, the specific ways that Premera was attacked, like the IP addresses used, where the attacks came from, specific malware - they haven't been declassified and shared with other potential targets yet. No.

GONYEA: So we're talking up to 11 million people who may be affected here. What is Premera doing to protect the victims?

SHAHANI: They say they're offering two years of free credit monitoring. It's the same kind of protection that retailers and financial institutions have given victims of credit card hacking. But if the point of this theft is altogether different - that is, espionage - then identity monitoring doesn't really help you in the end.

GONYEA: NPR's Aarti Shahani on news of yet another cyber-attack of a health insurer. Thanks, Aarti.

SHAHANI: Thank you. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate