Deadline approaches for Premera’s security-breach victims to seek credit monitoring

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.seattletimes.com/business/premera-sued-over-security-breaches/

With less than a week left to apply, about 830,000 of almost 11 million
current and former insurance customers have registered for credit
monitoring and identity-theft protection after their personal and medical
information may have been compromised in a security breach that Premera
announced in March.

Mountlake Terrace-based Premera maintains that it does not “have any
evidence that there was any criminal activity on anyone’s account as a
result of the cyberattack,” company spokeswoman Melanie Coon said in an
email statement.

However, the company faces 38 class-action lawsuits containing reports that
may argue otherwise, including stories of false tax returns, unexpected
calls to verify personal information and packages received that were never
ordered.

“This is not just an inconvenience, it is a significant harm to real
people,” said Darrell Cochran, a lawyer for Pfau Cochran Vertetis Amala,
which represents 2,500 people impacted by the Premera breach.

Debra and Gary MacDonald are covered through Gary’s insurance with Boeing
from Blue Cross Blue Shield of Illinois. When news of Premera’s hack came
out in March, Debra said she wasn’t worried because the Woodinville couple
are not covered by the local company.

But less than a month later, they were contacted by the Internal Revenue
Service, informing them a fraudulent tax return had been filed in their
names. Three weeks later, they received a letter from Premera about the
breach.

Since April, when the couple realized their information was compromised —
in what they can only assume was the Premera breach — they also found
fraudulent credit-monitoring accounts had been set up. That information
allowed someone who may have possessed their information improperly to
access credit reports, credit scores and eventually old tax returns. The
couple think that’s what led to the fraudulent tax return.

With her conscientious note-taking and milelong checklists of what to do in
identity-theft cases, Debra MacDonald estimates she has spent 150 hours
fixing the mess.

While the couple are not named in any of the 38 lawsuits filed so far, they
are one of about 4,000 who have retained different firms to represent them
in the case, Cochran said.

“We did not have a monetary loss, but the tangible loss is peace of mind
for the rest of our lives,” she said.

The attack

Premera disclosed the attack on March 17, saying that the 11 million
potential victims included 6 million current and former customers in
Washington state. The breach was discovered on Jan. 29 but initially took
place eight months earlier, on May 5, 2014.

The company said the attackers may have gained access to customers’
information dating as far back as 2002, including names, birth dates,
Social Security numbers, addresses, bank-account information and claim
information, including clinical data.

The attack affected customers of Premera Blue Cross, Premera Blue Cross
Blue Shield of Alaska, Vivacity, Connection Insurance Solutions, as well as
LifeWise affiliate for Washington, Oregon and Arizona and LifeWise
Assurance.

Members of other Blue Cross Blue Shield plans who have sought treatment in
Washington or Alaska may also have been affected, which is why the
MacDonalds received a letter.

One way people who are covered through other insurance companies may have
been affected is through workplace-benefits programs, such as through
Vivacity, a Premera affiliate that offers employee-wellness programs.

Even if someone is not covered by Premera, their information may have been
part of the breach if the individual’s employer purchased wellness programs
from Vivacity, Eric Earling, vice president of corporate communications at
Premera said in an interview during the summer.

Investigations

The FBI is still investigating the attack and working with the company to
determine the scope of the incident. Premera said it also continues to work
with Mandiant, the security firm it hired to investigate the breach and
help repair Premera systems.

“The privacy and security of our members’ personal information remains an
important priority for Premera,” company spokeswoman Coon said.

Washington Insurance Commissioner Mike Kreidler launched a multistate
investigation into the cyberattack a week after it was disclosed. He is
working with his counterparts in Alaska, California, Idaho and Oregon, as
well as the Washington’s Office of the Attorney General. All 50 states,
plus Guam, Puerto Rico and Washington, D.C., have signed an agreement to
participate in the examination.

The commissioner’s office said the first phase of the review exam will
determine if there should be a fuller examination, a settlement or closure
of activities, spokesman Steve Valandra said.

As a ranking member of the Senate Health, Education, Labor and Pensions
Committee, Sen. Patty Murray is also watching the investigation.

She sent a letter to Premera days after the attack was disclosed,
questioning the company’s failure to immediately inform current and former
policy holders.

The company and the FBI have continued to be tight-lipped about the details
of the breach, and the investigation is ongoing. But Murray has directed
her staff to closely monitor the progress toward “remedying harm done to
their” customers and to keep her informed.

Additionally, as part of a bipartisan-oversight initiative to examine the
health industry’s preparedness for cyberattacks, Murray is working to
explore the federal role in health-information security, instructing her
staff to meet weekly with key stakeholders.

The 38 lawsuits have been consolidated in Oregon and transferred to U.S.
District Judge Michael Simon. Lead counsel Kim Stephens from Tousley Brain
Stephens said the multidistrict litigation panel (who decides if multiple
cases can be consolidated) was worried that most of the federal judges in
Washington are covered by Premera. A trial date has been tentatively set
for February 2018 but could be settled or dismissed before then.

Debra MacDonald doesn’t want a big payout — just paid for her time and the
day of vacation her husband used to go to the bank with her.

She said she is angry about the lack of protection around her private
information, but “I imagine people who have suffered monetary losses are
even more furious.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!