Premera Defends Notification Delay in Recent Cyberattack
March 31, 2015 in News
Last week, Premera Blue Cross sent a letter to Sen. Patty Murray (D-Wash.) defending its decision to wait more than six weeks between discovering a recent data breach and alerting the public, Politico‘s “Morning eHealth” reports (Gold et al., “Morning eHealth,” Politico, 3/31).
On March 17, Premera — a health insurer based in Washington state — announced a massive cyberattack that occurred in May 2014 and might have exposed the personal information of more than 11 million individuals.
Premera discovered evidence of the attack in January, and further investigation found that the attack itself had occurred on May 5, 2014.
The compromised system included data from four Premera health plans or affiliates and stored information on individuals’ personal data, such as bank accounts, birth dates, Social Security numbers and more.
Following the announcement, Premera started to mail letters to affected customers and said it would offer two years of no-cost credit monitoring and identity theft protection. In addition, the company created a call center and a website to share information about the incident (iHealthBeat, 3/18).
Earlier this month, Murray sent a letter to Premera, questioning why the insurer had not told its customers about the cyberattack sooner (“Morning eHealth,” Politico, 3/31).
In the letter, Murray called on Premera by March 27 to answer 15 questions related to the cyberattack, including:
- When the insurer expected to finish notifying affected consumers;
- Why it did not immediately disclose the data breach to HHS’ Office of Civil Rights or consumers; and
- What steps Premera planned to take to improve its security (Murray Letter, 3/20).
Premera’s Letter Details
In a six-page letter, Premera CEO Jeff Roe said that the insurer did not immediately alert consumers and HHS’ OCR about the breach because doing so “would [have] alert[ed] the attackers and could [have] prompt[ed] them to download sensitive information [or] further embed themselves in the system.”
Roe added that Mandiant, a cybersecurity firm, had advised the health plan to remove malware from its system before announcing the cyberattack. According to Roe, Mandiant has not found evidence of stolen information, nor can it determine the source of the malware.
Further, the letter stated that all 11 million affected customers should be notified of the breach by this week.
In response to Premera’s letter, Murray said, “I appreciate Premera’s prompt response to my letter, but I remain seriously concerned about the pace of notification, as well as how impacted families and businesses are being informed and assisted.” She added, “I will continue monitoring progress closely to make sure all those affected by this breach in Washington state and across the country get the support they need” (“Morning eHealth,” Politico, 3/31).
Suit Claims Premera Failed To Protect Data
In related news, a new class-action lawsuit filed on Thursday claims that Premera failed to protect its customers’ personal data and promptly notify them of the data breach reported this month, Modern Healthcare reports.
The suit, which is one of at least five class-action suits related to the breach, was filed on behalf of three plaintiffs from Washington state and Nevada. The suit alleges that that Premera “breached its duty to protect and safeguard its customers’ personal and health information and take reasonable steps to contain the damage caused where any such information was compromised.”
In addition, the suit alleges that Premera has not yet “fully and accurately” informed all affected customers. According to the suit, Washington state law requires companies to notify consumers of breaches as quickly as possible.
Ken Dort, a partner in Drinker Biddle Reath’s Intellectual Property Practice Group, said the case might hold some merit related to the claim that Premera waited too long to report the breach. However, he noted that it could be difficult in such a case to win significant damages.
The lawsuit seeks unspecified damages (Schencker, Modern Healthcare, 3/27).