Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are independent indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.
In a statement posted on a Web site set up to share information about the breach — premeraupdate.com — the company said that it learned about the attack on January 29, 2015. Premera said its investigation revealed that the initial attack occurred on May 5, 2014.
“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc,” the company said. Their statement continues:
“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.
“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.”
Premera said it will be notifying affected customers in letters sent out via postal mail, and that it will be offering two years of free credit monitoring services through big-three credit bureau Experian.
ANOTHER STATE-SPONSORED ATTACK?
The health care provider said it working with security firm Mandiant and the FBI in the investigation. Mandiant specialize in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.
An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation. “Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.
There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.
On Feb. 9, 2015, KrebsOnSecurity carried an exclusive story pointing to clues in the Anthem breach which suggested that the attackers blamed for that breach — a Chinese state-sponsored hacking group known variously as “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew” — began chipping away at Anthem’s defenses in late April 2014. The evidence revolved around an Internet address that researchers had tied to Deep Panda hacking activity, and that address was used to host a site called we11point.com (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).
As that story noted, Arlington, Va. based security firm ThreatConnect Inc. tied that Wellpoint look-alike domain to a series of targeted attacks launched in May 2014 that appeared designed to trick Wellpoint employees into downloading malicious software tied to the Deep Panda hacking gang.
On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.
“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.
More on this story as it develops. Stay tuned.