Could same hackers be responsible for Premera and Anthem breaches?

By Byron V. Acohido

Predictions that 2015 would be a watershed year for stolen healthcare records are bearing out.

Related: Anthem tries to dodge liability for records breach

On Tuesday, health insurer Premera Blue Cross disclosed that a cyber attack that commenced in May 2014 resulted in exposure of medical data and financial information of 11 million customers.

Stolen records included claims data and clinical information, as well as financial account numbers, Social Security numbers, birth dates and other personal data.

The Premera breach appears to involve a record number of victims for whom actual medical records are now circulating for sale in the cyber underground.

Records for some 80 million people were stolen from the nation’s no. 2 insurer Anthem, disclosed last month, and records for 4.5 million people were hacked from Community Health Systems, parent of 206 hospitals in 29 states, disclosed last summer.

But the Anthem and CHS breaches involved the theft of personal data only, not medical records. That’s splitting hairs. Personal and medical records are the building blocks for the worst forms of identity theft.


With Anthem and Premera, hackers not only got the skeleton keys to lives, they got the key ring and the key chain,” says Adam Levin, chairman and co-founder of identity and data risk management consultancy, IDT911, which sponsors ThirdCertainty. “Members and employees who’s data was exposed — especially their SSNs — will be forced to look over their shoulders for the rest of their lives.”

Seattleites hit hard

More than half of the victims — about 6 million Premera patrons – reside in Washington state, including employees of Amazon, Microsoft and Starbucks. The rest are spread through the other 49 states. These companies now are prime targets for spear phishing attacks.

It doesn’t take much imagination for a criminal to use stolen data to create spoofed accounts to come across as a trusted colleague to send viral email and social media posts to fellow employees as a way to breach any of these corporate networks.


On a lower rung of criminal activity, a whole generation of scammers who’ve mastered fraudulent online transaction using stolen credit card account numbers are ready to move to the next level, observes Lisa Berry-Tayman, senior privacy and governance advisor at IDT911 Consulting.

Criminals learn,” says Berry-Tayman. “The credit card thief steals the data, charges until the account is closed and the money is gone.   To steal more money over a longer period of time, he or she  must think bigger, and bigger is identity theft.  Why just spend their money for a finite period of time when you can become them and spend their money for years and years?”

The healthcare industry has arisen as a target because it has moved aggressively to get rid of paper records and to collect, store and make use healthcare data in digital form. The goal: to boost productivity. Trouble is the healthcare industry, like many other industries, continues to make the digital push, including intensive use of the Internet cloud, without adequately accounting for security basics, security experts argue.

Healthcare data at risk — a three-part series: Why medical records are easy to hack, lucrative to sell

Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions, an over-reliance on guard-the-entry-point security and simplistic single-key encryption schemes,” says Richard Blech, CEO, encryption technology company Secure Channels. “This is a quaint and dangerous approach to a 21st century problem.”

Trent Telford, CEO of data security company Covata, agrees. “For many of these companies, data security has been an afterthought or something they did not deem necessary,” Telford says. “However this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information and it is the responsibility of corporations to take appropriate steps to ensure it is protected — this must include data encryption.”

Common culprits?

Premera is keeping details of how the breach was carried out close to the vest. The FBI and IT forensics specialist Mandiant, a division of FireEye, are investigating.

A good guess is that Premera was the focal point of a targeted attack, says Josh Cannell, malware intelligence analyst at Malwarebytes Labs.

A vast majority of cyberattacks targeting enterprise networks originate by attackers gaining access to internal networks through social engineering techniques like phishing/spear phishing e-mails that closely resemble something employees are familiar with,” Cannell says. “Once attackers have an access point inside an enterprise network, they can then use privilege escalation techniques and install malware to maintain a presence on the network.”

Cannell says it’s plausible the same hacking collective hit Anthem and Premera. “Since the attack happened around the same time as the Anthem breach, and was targeting a similar organization, it seems reasonable to say the threat likely originated from the same actors,” Cannell says.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone