HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions | HIPAA Compliance for Medical Practices | Scoop.it

Premera is the third largest health insurer in Washington State, and was hit with a cyber attack initiated on May 5 of last year. The Premera attack exposed the personal information of as many as 11 million current and former clients of Premera across the US. While Premera noted on January 29 of this year - the day the data breach was discovered - that according to best information none of the personal data had been used surreptitiously, the fact remains that the data mined by cyber attackers is exactly the kind of information useful for perpetrating identity theft.

To that end, it has been reported that the cyber attackers targeted sensitive personal information such as names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, phone numbers, member identification numbers, bank account information, and claims and clinical information.

As for why the attack was not discovered for some eight months, Premera has said little. However, the breadth of the attack - affecting some 11 million people - and the delay in discovering the breach (initiated May 5, 2014 and revealed January 29, 2015) will likely provide much fodder for Premera cyber attack lawsuits.

According to the Puget Sound Business Journal, the New York Times had suggested the Premera cyber attack may have been perpetrated by the same China-based hackers who are suspected of breaching the federal Office of Personal Management (OPM) last month. However, the VP for communications at Premera, Eric Earling, notes there is no certainty the attack originated in China.

“We don’t have definitive evidence on the source of the attack and have not commented on that,” he said. “It continues to be under investigation by the FBI [Federal Bureau of Investigation] and we would leave the speculation to others.”

That said, it has been reported that the US government has traced all of these attacks to China.

Recent data breach attacks, including the Vivacity data breach and Connexion data breach, are reflective of a shift in targets, according to cyber attack experts. The attacks to the data systems of the federal OPM notwithstanding, it seems apparent that hackers are increasingly shifting their targets to health insurers in part due to the breadth of information available from the health records of clients.

The goal of cyber attackers in recent months, according to claims appearing in the New York Times, is to amass a huge trove of data on Americans.

Given such a headline as “Premera Blue Cross Reports Data Breach of 11 Million Accounts,” it appears they have a good start. While it might be a “win” for the hackers involved acquiring such data surreptitiously and illegally, it remains a huge loss in both privacy and peace of mind for millions of Americans who entrust their personal information to insurance providers, who, in turn, require such information in order to provide service. Consumers and clients also have historically assumed that such providers have taken steps to ensure their personal information is secure.

When it isn’t - and it takes eight months for a cyber attack to be identified - consumers have little recourse than to launch a Premera cyber attack lawsuit in order to achieve compensation for the breach, and as a hedge for the possibility of ample frustration down the road were the breach to evolve in a full-blown identity theft.

To that end, five class-action data breach lawsuits have been filed in US District Court for the District of Seattle. According to reports, two of the five lawsuits allege that Premera was warned in an April 2014 draft audit by the OPM that its IT systems “were vulnerable to attack because of inadequate severity precautions,” according to the text of the lawsuits.

Tennielle Cossey et al. vs. Premera asserts that the audit in question, “identified… vulnerabilities related to Premera’s failure to implement critical security patches and software updates, and warned that ‘failure to promptly install important updates increases the risk that vulnerabilities will not be.’

“If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems.”

Moving forward, Premera Blue Cross data breach lawsuits are being consolidated into multidistrict litigation, given the number of Americans affected and their various locations across the country. An initial case management conference has been scheduled for August 7.

No comment yet.

Why Are Health Insurers Hacker Targets?

Why Are Health Insurers Hacker Targets? | HIPAA Compliance for Medical Practices | Scoop.it

The massive cyber-attacks targeting health insurers Premera Blue Cross and Anthem Inc. make it clear that hackers increasingly view large healthcare organizations, especially payers, as attractive targets.

"What makes Premera and Anthem high-visibility targets is the volume of personal data they have," privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, tells Information Security Media Group. "Of course, every healthcare organization should be concerned, but smaller organizations are probably less visible targets."

Daniel Nutkis, CEO of the Healthcare Information Trust Alliance, testified during a March 18 U.S. House subcommittee hearing on cyberthreats: "Any healthcare organization is a treasure trove of personally identifiable information and protected health information and is very much a high value [target] ... for nation-states to hacktivists."

Millions Affected

Premera says it is notifying 11 million individuals about its breach. The Anthem hack affected 78.8 million individuals, making it the largest incident on the Department of Health and Human Services' tally of major health data breaches.

A Premera spokesman told the Wall Street Journal that the Anthem and Premera incidents were "different cyberattacks." The FBI declined to offer a comment to ISMG about its investigations into the cyberattacks and whether the incidents are related.

Earlier this month, a report from ThreatConnect, a threat intelligence product and services vendor, said clues in the Anthem breach suggest the attack was launched from China. The report noted that malware used in the Anthem attack contained malicious code that ThreatConnect says has been exclusively used in the past by Chinese APT groups. The Wall Street Journal reports that some experts see signs of similar links to China in the Premera hack.

But Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, says the China link in both attacks is "only speculation at this point," and that there's been "no confirmation."

On March 18, an Athem spokesperson told ISMG that the insurer has "no new information from the investigation to share with regard to the origin of the attack. We're continuing to work with the FBI and hope to have more to offer upon completion of the investigation soon."

Multiple Motives

Darrell Burkey, a product director at security vendor Check Point Software Technologies, says hackers have multiple potential motives for stealing data from health insurers.

"The information can feed many illicit business opportunities," he says. That ranges from using the data for fraudulent claims to insurers to intercepting Medicare payments. But other motives include "blackmailing wealthy, famous, important people to either pay ransom or their health records will be released," he says. "Consider the wholesome Hollywood [star] that has illicit infections or prominent CEO undergoing counseling or has some dire disease, etc."

Similarly, Borten notes that when millions of personal records are reaped, "the first potential gain is money linked to the sale of the data for identity theft. It is puzzling, however, that Premera reports an intrusion, but no indication that the data was removed."

Data from the Anthem hack hasn't shown up yet on the black market, Kobza says. But stolen information from the recent health insurer attacks eventually could be offered for sale by fraudsters, experts say.

"It's like stealing a famous painting - getting rid of it quietly and profitably is the hard part," says Cameron Camp, security researcher at ESET, a security consulting and technology firm. "In the case of the Anthem breach, it would be better for attackers to either trickle it out into the market, or use it for some secondary attack, like fraudulently filing fake tax returns or other scams."

Although Borten acknowledges that data stolen from Anthem and Premera could turn up on the black market, she says there could be other motives for the assaults. "This was a stealth attack, so it wasn't for a public political reason. It may have been simply a probe to see how vulnerable such organizations are, especially if this was a foreign attack," she says.

Richard Barger, ThreatConnect's chief intelligence officer, says hackers could have targeted the insurers for specific reasons. "Both Anthem and Premera cover a large number of U.S. Federal government employees. If a foreign government obtained sensitive information on the federal workforce, they could leverage this for blackmail or to enable HUMINT [human intelligence] asset development," he says.

Breaking In

So how much effort does it take to breach the IT systems of health insurers?

"In the case of Anthem, the attackers were able to gain access to an administrative account and do a database query," Camp says. "But that's certainly not the only piece to the puzzle, as they still had to do reconnaissance, exfiltration, persist in the network, do lateral discovery and cover their tracks. These aren't simple, cheap, or quick things to do, either in Anthem or the current [Premera] breach."

Jason Matlof, executive vice president at LightCyber, a breach detection solutions firm, notes: "For a professional cybercriminal, it is not terribly difficult to breach a company's network. While legacy threat prevention systems are about 95 percent effective in blocking intrusion attempts, that leaves five percent wide open for cybercriminals to make nearly unlimited attempts to get in with no risks or downside" he says.

In a statement, Premera, based in Mountlake Terrace, Wash., says the company on Jan. 29 discovered that cyber-attackers had executed a sophisticated attack to gain unauthorized access to its IT systems. However, further investigation revealed the initial attack occurred on May 5, 2014, Premera says.

Some security experts say the attack on Premera may have begun months earlier than that. "ThreatConnect found evidence that the faux Premera infrastructure was staged as early as December 2013," ThreatConnect's Barger says. "Initial reports on the Premera breach have indicated that the attack began in May 2014, however, based upon the data that we are seeing, it is likely that there maybe have been a more long-term effort or at least interest, thus broadening the possible window of exposure."

Meanwhile, the Anthem breach, which was announced on Feb. 4, likely began as early as Dec. 10, 2014, with intrusions likely continuing until Jan. 27, according to a company spokeswoman.

So why did it take months for these cyberattacks to be discovered?

"Detection of an attack takes about 205 days on average, which is long, but better than the average of 229 days last year," Richard Bejtlich, chief security strategist at the security firm FireEye, testified during the March 18 House subcommittee hearing. And 70 percent of the time, organizations learn about a breach from the FBI or other external, rather than detecting it themselves, he said.

Camp told members of the House panel: "Attackers want to persist undetected for as long as they can, so if you didn't catch them attacking you, it's also likely that unless they slip up, you wouldn't notice them silently looking around for things to steal, or possibly even as they spirit data out your digital front door and onto the Internet."

The Wrong Focus

Among the issues that also contribute to the healthcare sector's vulnerability is that the industry long has been "focused on compliance rather than risk-based security," Nutkis testified.

So if the healthcare sector is a growing target of attackers, what should organizations do to step up their defense and detection?

Using smaller databases, protected by robust access controls, could help reduce the damage when attackers strike, Borten, the consultant, suggests. "If older or archived data were kept separately with fewer users having access permissions" the number of records breached in these attacks could have been reduced, she says.

Also, improved cyberthreat information sharing within the healthcare sector could help thwart breaches, Camp says. "If victim organizations can share with others in their trust groups who defend health sector organizations, the whole sector will benefit, especially if that can happen rapidly."

NH-ISAC's Kobza is hopeful that recent hacker attacks will help all healthcare organizations to realize they need to share threat intelligence to help thwart attacks. "This is the model that has been adopted in other critical infrastructure sectors, and given the size of the prize in healthcare, it should become our standard as well."

Lysa Myers, a security researcher at ESET, adds that healthcare organizations can take steps to "retrofit" their systems to better defend against hackers. "Encrypting sensitive data, multi-factor authentication, network segmentation, ongoing employee security training - these things all can be fit into existing systems and they can significantly improve the defenses businesses have in place," she says.

No comment yet.

Cyberattackers swipe data of 1.1M at CareFirst

Cyberattackers swipe data of 1.1M at CareFirst | HIPAA Compliance for Medical Practices | Scoop.it

It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. What's more, the cyberattack wasn't even detected in-house.    The Baltimore, Md.-based CareFirst BlueCross BlueShield health plan announced the cyberattack May 20, despite the attack occurring back in June 2014.    According to a company news release, the cyberattack compromised the names, dates of birth, email addresses, member ID numbers and user names of 1.1 million members.    The cyberattack went undetected by the health plan itself. Rather, as CareFirst Chief Executive Officer Chet Burrell described in a statement, outside cybersecurity firm Mandiant "was the firm that actually discovered the attack."

Only after the health plan brought in cybersecurity firm Mandiant to conduct end-to-end IT security testing in the wake of the Anthem and Premera attacks, did CareFirst discover cyberattacks had gained access to a single database that stores members' online services data.    CareFirst officials described the breach as a "sophisticated cyberattack," but there are some security officials who question that general wording that was also used to describe the Anthem breach, which compromised the data of as many as 80 million.    As Kevin Johnson, founder of security consulting firm Secure Ideas, told Healthcare IT News this February following the Anthem breach: From his experience working with insurance companies on their security together with his seven years working at Blue Cross in Florida, "sophisticated" is an inaccurate word choice when used to describe a cyberattack at an insurance company. 

"I have never found an insurance company that required a sophisticated attacking incident," he said. "Period.   "They have tons of systems. They have tons of tests," he said. "It's a huge conglomeration of stuff."   As Ken Westin, security analyst at Tripwire, sees the CareFirst breach: "In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It's no surprise that  several organizations have been targeted and compromised."   Attackers look for system vulnerabilities, Westin continued, "vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes."

No comment yet.