Alaska is participating in an multi-state investigation into Premera following a cyber attack on the health insurer early this year. The state’s insurance director says she has a lot of questions about why the attack occurred and why it took the company two months to announce it publicly.
Washington State’s Insurance Commissioner is taking the lead in the investigation into Premera. Six million customers were affected in Washington. In Alaska, the attack exposed the personal data of 700,000 current and former members of Premera dating back to 2002. The information exposed includes social security numbers, date of birth, addresses and some bank account numbers:
“There was an incredible amount of personal data that was released in this breach.”
Lori Wing-Heier directs the state’s Division of Insurance. She says even though Washington State is leading the investigation, Alaska will have just as much control over how it’s conducted. She is working with the state’s Department of Law to help determine the scope of the investigation into the breach:
“It occurred in May of 2014, it wasn’t noted until January 2015 and it wasn’t reported to regulators until March of 2015. So that is basically what the examination will focus on. We’ll be looking at what procedures they had in place and what happened during that time frame.”
Wing-Heier is especially concerned about the two month gap between when the company discovered the attack and when Premera made it public. The company says it needed to cleanse and secure it’s IT systems prior to making an announcement to prevent the attackers from engaging in more malicious activity. Wing-Heier isn’t satisfied with that explanation:
“We want a better answer. We want a better understanding of what happened.”
Premera spokesperson Eric Earling says he looks forward to working with state insurance regulators during their investigation. The company is also coordinating with the FBI. Earling says there is no evidence any of the personal data has been used by the thieves:
“So that is a difference than some major national retailers when they’ve had these sorts of experiences with a cyber attack, have experienced personal information being used in a fraudulent way right after the attack and that’s not been the experience in this case.”
The company has set up a website, Pemeraupdate.com to provide information about the attack and is offering free credit monitoring for two years to affected consumers. Eva Velasquez is President of the Identity Theft Resource Center, a California based non-profit. She says it’s important for current and former Premera customers to take advantage of the credit monitoring program:
“Now that this information is out there, just because it hasn’t been used today, doesn’t mean it won’t be used tomorrow.”
Velasquez says not all data breaches are created equal. Thieves stole credit card data in recent cyber attacks on big retailers like Target and Home Depot. That can be a hassle for consumers to cancel credit cards and open new ones, but the threat to broader personal information is limited. In contrast, Velasquez says social security numbers are a “treasure trove” for thieves and they can use them to commit all types of identify theft:
“Your payment card data information is not a personal identifier for you. It doesn’t follow you around for the rest of your life. Your social security number and your finger prints do. You can’t get rid of those things, now you just have to monitor those things.”
Velasquez recommends Premera customers continue to monitor their credit for the rest of their lives. And she says there are a lot of free or inexpensive services available. She says Alaskans should also be on alert for phishing scams related to the data breach. Premera says it will not e-mail or make unsolicited phone calls to customers regarding the incident.
Alaska is also participating in a multi state investigation of Anthem, another Blue Cross Blue Shield insurance company that experienced a data breach the same week as Premera. Lori Wing-Heier says the state has 34,000 customers affected by that breach.
This story is part of a reporting partnership between APRN, NPR and Kaiser Health News.