Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
5 Breach Lawsuits Filed Against PremeraMeanwhile, Health Insurer Provides Answers to Congress
Five class action lawsuits have been filed in federal court against Premera Blue Cross in the wake of a data breach that affected 11 million individuals across the country. Meanwhile, its CEO has provided answers to questions from a U.S. senator regarding the hacker attack.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The five lawsuits filed last week in the U.S. District Court in Seattle make similar allegations - that the company failed to protect customers' confidential information, putting those affected at risk for identity theft. Among the complaints' allegations is that the data breach resulted from Premera's alleged "failures to follow HIPAA."
Two of the suits also note that Premera was warned in an April 2014 draft audit report by the U.S. Office of Personnel Management that its IT systems "were vulnerable to attack because of inadequate security precautions" (see Security Audit of Premera Found Issues).
"That audit identified ... vulnerabilities related to Premera's failure to implement critical security patches and software updates, and warned that 'failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,'" notes one lawsuit, Tennielle Cossey, et al vs. Premera.
That suit also states, "If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems." The complaint notes that Community Health Systems in August 2014 also revealed a hacker breach that affected 4.5 million patients. "This prompted a 'flash warning' by the FBI to entities in the healthcare industry that it had observed 'malicious actors targeting health care related systems,'" the suit says.
The suits are seeking unspecified damages, both "actual and statutory." Among the allegations in some of the suits are violations of the Washington Consumer Protection Act.
A Premera spokeswoman declined to comment about the suits. She noted, however, that Premera "expected there would be class action lawsuits filed" against the company in the wake of the breach "because that's typically what happens."
Attorney John Yanchunis of the Tampa-based law firm Morgan & Morgan, which is representing plaintiffs in one of the Premera class action suits, says he expects that the cases eventually will be consolidated into one case in the federal court. The Premera breach "is more egregious than the Home Depot or Target breaches because those [credit] cards can be cancelled," he says. "Unlike those other breaches, the information involved in the Premera breach can be used to file fraudulent tax returns and fraudulently secure healthcare in someone else's name."
In addition to the lawsuits, Premera is also dealing with Congressional scrutiny in the wake of the breach.
A March 20 letter to Premera CEO Jeffrey Roe, Sen. Patty Murray, D-Wash., on behalf of the Senate Committee on Health, Education, Labor and Pensions, asked the company to answer 15 questions related to the breach and the company's information security practices. Those questions range from why Premera waited six weeks to publicly announce the breach after its discovery, to whether the hacking incident is related to the Anthem Inc. hacking breach, to steps Premera is taking to bolster its information security in the wake of the incident.
In the March 27 response letter to Murray, which Premera provided to Information Security Media Group, Roe says the public announcement of the breach was delayed based on advice from Mandiant, a consulting firm it had hired to assist in the forensic investigation of the incident.
"Mandiant warned Premera about the dangers of making any public announcement about the attack until the following steps could be taken: 1) Mandiant completed scanning all servers and workstations for areas of infection to identify all attack vectors; 2) systems were remediated in a concentrated time to lock the attackers out of system; and, 3) remediation was followed by scanning to verify that the all backdoors were eliminated," the letter states.
Roe also describes in the letter some details about the breach: "Upon penetration of Premera's network, the attackers gained access to log-in credentials and then deployed other tools and tactics to gain broad access to Premera's network." He adds: "Mandiant's investigation to date has identified only intrusion but no exfiltration of information from Premera's systems. Mandiant has not conclusively determined the initial vector of compromise. That is, the [company doesn't] know if the malware came from a phishing email, a contaminated website, or another source of intrusion.
The letter also notes that Mandiant "found no evidence that the cyberattack on Premera was the result of, or was related to, any of the items identified in the  OPM [audit] report." Plus, Roe notes: "Premera is not in a position to opine about whether the Premera and Anthem attacks were connected or which attack occurred first. Because these attacks are the subject of active FBI investigations, Premera encourages your office to contact the FBI for additional information."
Premera is implementing several Mandiant recommendations to bolster security moving forward, Roe says in the letter. In addition to removing all malware and backdoors from its IT systems in response to this cyberattack, Roe says Premera has implemented a number of system enhancements, including, among others:
- Deploying multiple-factor authentication for remote access to Premera's network;
- Scanning servers, desktops and laptops as a requirement for continued use of devices on the network;
- Installing enhanced monitoring tools to provide reports of any new attacks on our computer networks;
- Enhancing and expanding security and system event logging capabilities; and
- Engaging a service provider for advanced monitoring services.
Besides the lawsuits and the Congressional scrutiny, Premera is also facing a probe from insurance officials in three states - Washington, Oregon and Alaska (see 3 States to Probe Premera Breach).
Washington Insurance Commissioner Michael Kreidler said that the states will conduct a "market conduct examination" of Premera related to the breach. The examination will include on-site reviews of the insurer's financial books, records, transactions and how they relate to its activities in the marketplace, Kreidler explained in a statement.