MOUNTLAKE TERRACE, Wash. -- Premera Blue Cross, a health insurer based in the Pacific Northwest, says it was the victim of a cyberattack that could affect 11 million people.
"What we discovered is there was unauthorized access to our IT system," said Eric Earling, a spokesman for Premera.
The company says hackers gained access to its information technology systems. The breach could have exposed members' information including names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers, member ID numbers and bank account information.
It says claims information, including clinical information as well as the personal information of people who did business with Premera, could also have been exposed.
The Mountlake Terrace company says it has not found evidence that data was removed from its systems or that customer information has been used inappropriately.
The attack occurred May 5, 2014, and Premera discovered it Jan. 29.
The company says it was advised by security professionals to wait. until now to alert the public.
"What we were told is that sophisticated cyber attackers like this will engage in more malicious activity if you announce before securing your IT systems," said Earling. "We felt like it was important to protect consumer information by securing our IT information first and then making the announcement."
The insurance company is offering two free years of credit monitoring to all of it's customer, including identity theft insurance.
Corey Nachriener, a cyber security expert with WatchGuard Technologies, based in Seattle, said everyone should use credit monitoring, and also use firewalls and anti-virus programs for their home computers.
He hopes this cyber attack may push companies to stop asking for certain information from customers in the future.
"The one thing I think healthcare should be asking is, "Why do we need the social security number," said Nachriener. "Is that really a critical piece of data? I don’t believe it is."
Washington State Office Insurance Commissioner Mike Kreidler issued this statement following the acknowledgement of the cyberattack.
Premera notified me this morning about a cyberattack affecting more than 6 million of its Washington customers and assured me they are taking all necessary steps to alert impacted consumers and to protect their confidential information. They also committed to take all necessary steps to bolster their security systems against future attacks.
I shared my immediate concern that consumers be notified as soon as possible about this data breach and that Premera make all resources available to protect consumers’ personal data.
I’m concerned that while Premera learned of this attack in January, it took approximately six weeks to notify my office. I understand that the company was working closely with the FBI and cyberattack experts to clean their system of the infection. Premera has assured me that there is no evidence to date that any information was removed from their system or that any data has been used.
Click here to visit the Premera website for more information.
This story is breaking and will be updated throughout the day.