17
Mar 15

Premera Blue Cross Breach Exposes Financial, Medical Records

Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.

premeraIn a statement posted on a Web site set up to share information about the breach — premeraupdate.com — the company said that it learned about the attack on January 29, 2015. Premera said its investigation revealed that the initial attack occurred on May 5, 2014.

“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc,” the company said. Their statement continues:

“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems.  We also have no evidence to date that such data has been used inappropriately.”

Premera said it will be notifying affected customers in letters sent out via postal mail, and that it will be offering two years of free credit monitoring services through big-three credit bureau Experian.

ANOTHER STATE-SPONSORED ATTACK?

The health care provider said it is working with security firm Mandiant and the FBI in the investigation. Mandiant specializes in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.

An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation.”

“Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.

There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.

On Feb. 9, 2015, KrebsOnSecurity carried an exclusive story pointing to clues in the Anthem breach which suggested that the attackers blamed for that breach — a Chinese state-sponsored hacking group known variously as “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew” — began chipping away at Anthem’s defenses in late April 2014. The evidence revolved around an Internet address that researchers had tied to Deep Panda hacking activity, and that address was used to host a site called we11point.com (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).

As that story noted, Arlington, Va. based security firm ThreatConnect Inc. tied that Wellpoint look-alike domain to a series of targeted attacks launched in May 2014 that appeared designed to trick Wellpoint employees into downloading malicious software tied to the Deep Panda hacking gang.

On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.

More on this story as it develops. Stay tuned.

Tags: , , , , , , , ,

58 comments

  1. Donald J Trump

    The story states ‘ “Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice” but my question is will they ever bring anyone to justice when the criminals are clearly in Mainland China.

    • Considering that they couldn’t even arrest corrupt bankers that ripped off the taxpayers during the ’08 housing crash, I’m not expecting much action against chinese nationals

      • Don’t forget about the corrupt politicans that were also involved.

      • Corrupt bankers? You need to watch this video:

        https://www.youtube.com/watch?v=w0mimIp8mr8

        Or, search for:
        Catherine Austin Fitts at the Secret Space Program Conference, 2014 San Mateo You tube

        Are financial fraud and market manipulations actually mechanisms for financing the black budget and centralized governance necessitated by high-tech secrecy?

    • that’s about as pointless as toothpaste that causes cavities.

      They’re in China for a reason. Not only is China extremely crime-friendly, it also is theoretically a state-sponsored hijack. The only way the Chinese will arrest them will be in their own courts, should the guys behind it attack their own government, which they won’t.

      In other words, don’t hold your breath.

      • MakingItTooEasyForThem

        If the perpetrators aren’t going to be brought to justice (which I don’t expect they will be anytime soon, as I await the next major breach); or, the state-sponsored leaders won’t stop it; or, there are no enforcement of badness coming down the pipes (which there isn’t), cut them off the net.

        A petition:
        https://www.change.org/p/icann-internet-corporation-for-assigned-names-and-numbers-tell-the-worldwide-internet-maintainers-to-disconnect-select-networks-in-china-from-the-internet-internet-2-0

        • That would be awesome. The UN should vote for an Internet blockade to these state sponsered hacker countries.

        • Erm…blocking the world’s second largest economy and 1/4 of the world’s population? That’s gonna be tricky to pull off, and probably wouldn’t help. At minimum, it’d have a huge impact on 1.5 billion+ innocent Chinese while the select group of skilled hackers waltzed around the blocks.

          • MakingItTooEasyForThem

            The article doesn’t state cutting off an entire country outright. It’s talking about cutting off a select network within a country. However, if say China perpetrators wish to then move to other networks within their country and pull more of their country into their badness, and if that country’s leadership is that intent on keeping badness running, the outside countries would have the option to cut off more of the country.

            They could waltz around entire blocks/regions of their country, and be allowed by leadership to do just that; however, be prepared to have more regions of the country disconnected from the rest of the world. That’s not to say that they couldn’t clean things up and get back on the worldwide network (but right now I see no convincing evidence of that happening).

        • I am in agreement with Jon Marcus. I do not think it is a good idea to disconnect entire networks, because of politics or illegal acts. What if someone decides they do not like US politics, I would not want to be cut off from the rest of the world. I also think it is a misconception that cutting off China would actually change anything. I think they would just find another way to get connected.

          • MakingItTooEasyForThem

            If the perpetrators wish to move to other internal country networks enough, and if those major regional networks were disconnected from the outside world, eventially there would be NO connection to the outside world—leaving only their internal networks and the internal leadership may then contend with that however they wish (clean it up or leave it dirty).

        • Devil's Advocate

          If we cut off those “select” networks in China then how would we (the ‘friendly’ nations and our allies) hack into Chinese systems?

          Or do people think that only the Chinese are in the Cyber Warfare game?

          • The ‘friendly’ nations and our allies may play on their own networks. Some of us are not into these games.

            We could build a network just for them to play on–play all they want (Nintindo, Wii, etc for state-sponsored players. The ‘friendly’ nations and our allies haven’t curtailed 11 million breached records at Premera and tens of millions more at Anthem.

            • It’s not even the duty of ‘friendly’ nations and our allies to protect from breaches, as they play their games.

    • When does our government make the decision to go to war with countries that attack our infrastructure. North Korea, China, who next? And what will this war look like? Will it be a cyber war?

  2. Small voluntary orgs like clubs and associations have long monitored the misuse of their members’ data by inserting tracer entries in their systems.

    Entries with wrong surnames or distinctive middle initials, for example, combined with valid contact data, can alert people to the misuse of these lists.

    If state-sponsored actors are trying to get certain peoples’ information, this won’t help. But if they’re simply looking to sell dumps, it will.

  3. State-sponsored hacking of a health insurance provider in Alaska? Probably looking for dirt on Sarah Palin.

    Guess that means there’s a NEW criterion to apply when choosing a personal heath plan: AVOID any plan that is likely to be chosen by high-profile politicians & such who might be persons of interest to nation-states and other ne’er-do-wells.

    • Not just Alaska, but also Washington (state I assume?). So, all the information one would need in order to get access to Microsoft’s (and a lot of other tech company’s) management info. What do you mean, enforce trade sanctions because piracy? Nice bank account you have there – hope nothing happens to it.

  4. And while they’re doing this their birthing tourism continues. Just remember they’re laughing at us, the whole world is laughing at us while we waste our time trying to get to mars.

  5. I was involved in that first Anthem attack but have received no confirmation from Anthem by mail as promised that my personal information was obtained
    by attackers.

    They sent out a general letter about the attack and said to wait for a letter if I was personally involved. So far, nothing. Doesn’t matter, I froze my credit accounts anyway.

    I suspect that since the Chinese are behind this they are trying to see what can be hacked and how easy just as a test case for future malicious activity if needed. That would be the best case scenario if there is one.

    • As I read yesterday, Anthem is sending out notifications over an 8 week period @ approximately 1M per week. Our state’s Blue Cross Blue Shield affiliate was affected and approximately 4-6 people where I work are affected as a result. We didn’t think we were affected by Anthem but health care is quite the tangled web. I suspect, due to the proximity to WA that some of my co-workers will be affected as they seek health care in the Seattle area.

  6. Richard Steven Hack

    Yes, if Mandiant was hired, that means it will be Chinese hackers – even if it wasn’t Chinese hackers, that is.

    Someone explain to me why a STATE would be interested in health care records of random people. Granted, the PII of such people might come in handy if you want to use them to access more interesting organizations, but in general that’s a pretty round-about way to get into a place. It’s much easier to just compromise a relevant “watering-hole” or just use ordinary passive intelligence gathering to get enough info to do a phishing attack – which is what Chinese hackers usually do.

    In other words, until I see concrete evidence, the “Chinese state-sponsored hacker” bit remains unproven to me. The proof that these people are state-sponsored is highly circumstantial.

    And yes, I continue to believe North Korea is not proven to have done the Sony hack, either.

    • I suspect that the large numbers of records are simply a smash-and-grab. They’re probably looking for a few key records, but figured it’s easier to exfiltrate everything and sort it later at their leisure.

      • I feel that these breaches (Premera & Anthem) are more egregious than credit card breaches. It is very easy to hot card your credit/debit card and get it reissued by your bank. You cannot get your SSN reissued. The timing also seems to coincide with tax season which is a bit concerning. The credit monitoring is nice, however there things that thieves can do with an SSN that will not hit credit reporting agencies. This is why I feel these breaches are more profound than the Target, Home Depot, et al.

    • What most mistake is that the state sponsored attacks are targeting individual PHI. What they care about is access to mass consumer health data indicating the type of pharmaceuticals etc that are being used to treat specific medical conditions etc. These foreign states use that data to hone their production of generic or other drugs while cutting cost from research trials and many other facets. Their inspired by the mass monetization that occurs through analyzing all of this information. They don’t care that John Doe has arthritis or is using Celebrex. They do care that drug X is prescribed for 87% of the patients treated for high cholesterol.

      • Doubtful. There are MUCH easier ways to get data on drug utilization, NONE of which involve blowing holes in a health insurance company’s network and exfiltrating a bunch of subscriber data for off-site analysis. Among other possibilities, most insurers and drug companies would have summary and utilization review documents that would suffice for the purposes you describe, and those documents would be FAR easier to access than an insurance company’s subscriber database.

      • Sounds like the pragmatic approach ie they, whomever they may be, are after primarily an edge in the pill market.

        Hey, those Chinese learn fast the American way.

    • “State sponsored” is excusespeak intended to convey the message that the hack was so highly technical that only a State could launch it.
      That then gets translated to “No company could have prevented such a sophisticated attack”.
      Which finally ends up at ‘Don’t blame us”.

      • I agree Aloha. Anthem/Premera is ducking this saying, ‘It’s not our fault.’. The details of the attack state fake websites were set up ‘we11point.com’ and mailings were sent out fooling employees into thinking the mailing came from ‘wellpoint.com’. I am sure that all of the mailings were not successful. What did the employees do that were not fooled? Did they report the incident to Anthem/Premara Security team? What did this team do in response? If there is no security policy stating you must report potential security breach attempts, I would want to know ‘Why not?’.

    • Simple. Monetization. Heath information, and specifically your health identity (your ID number with your provider) is selling on the black market for $10 per record (according to an article I read about 6 months ago – – I can’t remember the source) while credit card numbers are only going for about $1 per record. You can set up much larger (monetarily speaking) heath care fraud scenarios than with a CC. Not nearly the fraud detection mechanisms in place within the HC industry as their are in the bankcard industry.

  7. I have already had a major hippa violation and would almost stake money on at least one person behind this.
    If interested in this information please contact me.
    She broke into my records 87 time undetected for over a year so this would not be something she couldn’t do.
    Lynn
    425/530-6709

    • Lynn, you might consider removing your telephone number as you’ll get some creeps calling you. The flip side of internet freedom is there is internet freedom for trolls as well as good folks.

    • captain obvious

      The fact that you just posted your telephone number shows that you are not very careful with your personal info. I can see why someone would target you…. SMH.

  8. Not_A_Coincidence

    About 4 weeks ago Premera started to search for a new Director of IT Compliance and Security, it was formerly filled by a long-term employee who worked their way up the ladder.

  9. Last year it was the retailers and this year its the healthcare service providers (Lifewise, CHS, Anthem and now Premera) – what’s the commonality, does the shift in the trend indicates anything?

    Something to ponder upon…is it just lucrative PII data in the black market or the ease of circumventing the traditional security controls makes it a fertile ground?

  10. Even if the IP address of the server is from China, it seems to me the thieves could really be from anywhere … Is Chinese security so good that nobody can break-in to (relay through) their stuff ???

    Also, if the Chinese did break in, how many other separate groups also broke-in ???

    Not sure why the Chinese government would want a bunch of health data …

    • As much as the blame game is on the Chinese and perhaps it really is their doing…. never forget that the NSA/CIA/FBI and all the intelligence arms of the armed forces are quite capable of doing creative things themselves.

      This ain’t no cops and robbers at all. Its Cyber war.

    • Seeing as how the PLA has a unit dedicated to cyberwarfare, it could be they were conducting “maneuvers” to keep their edge.

  11. With every breach, credit monitoring is offered and more people pay fees for credit freezes. Has anyone looked into the credit reporting agencies and monitoring services, to see if they’re hiring foreign and domestic black hats to run up some old-fashioned fear in the public? It’s the sort of thing the mafia used to do: create some “random crime” to convince people that they needed protection.

  12. That would be awesome. The UN should vote for an Internet blockade to these state sponsored hacker countries.

  13. Great. Until late last year I worked for a company that used Premera as their employer provided health insurance provider. This same company uses ADP for payroll and was also affected by that attack a few years ago.

    I guess it’s time to freeze my credit.

  14. Love the idea about cutting them off the net. But, are they the guilty party? And let’s look at rule two, why is that information available to steal? If a companies greatest treasure is its customer base, why is it available to be lost or stolen? So don’t blame the bad guys for stealing something stealable. Blame your security to leaving the doors open for crooks. Stop asking Todd and Judy to come play with you, get serious, find the security nerd, set up a crook unit to test you defenses, break in competitions for a prize, at local colleges, whatever, but get serious. Or go broke from penalties that should be imposed by bad business practices.

    • MakingItTooEasyForThem

      Yes, Premera, in this case is partially to blame too (along with Anthem, Home Depot, Target, and the many other breached network operators).

  15. Reading about this being another instance of China backed related hacking got me thinking (scary I know). What do they have to gain? As annoying and frustrating as it is for those impacted, and the cost to companies and banks, I’m not sure of the end goals. It’s not going to ruin the economy such as it is. Is there something more nefarious going on? Yeah crazy thoughts…

    • Getting info on individuals. F35 fighter data was stolen in part because they learned what favorite websites some simple engineers liked to visit during lunch. They then knew what site to hack to plant malware.

      E.g. if you know a certain key individual or family member at a company you want to target has an illness that is even much more power full data.

      Or perhaps you just know what phishing mail to send them.

      Basically if it is indeed a state sponsored attack, we are talking about the Chinese NSA. Not surprised they do to us we are doing to the world. In that sense our outcry is also pretty hypocrite BTW.

    • Yes, what does China want with all of that information?
      What if it isn’t China, but the US government who is doing all of these cyber attacks to scare the Americans into regulating the internet. It wouldn’t be the first time they used scared tactics to get control of the people.

      https://www.youtube.com/results?search_query=secret+space+program+2014

  16. And once again the crooks at Experian benefiting for no good reason.

  17. I don’t understand why China is hacking into anything in the US, unless it’s just for kicks. Since Clinton (and others) sold us out to them, they can afford to just buy any (insurance) US company and have all the data they want from it.

  18. How long ago was it that we learned about Anthem Blue Cross’s data being stolen? They still have not sent a written communication to all customers about it and what steps to take to protect themselves and what Anthem is doing since the breach.

  19. When’s Anthem going to send a status by mail to ALL customers about the breach and what they are doing and what customers need to do to recover from the theft?

  20. Not_A_Coincidence

    The Seattle Times published the results of the Premera Federal Audit this afternoon, completed 11/2014: https://s3.amazonaws.com/s3.documentcloud.org/documents/1688453/opm-audit.pdf

  21. Sometimes in war, you can choose whether to play offense or defense. Russia in World War II comes to mind. In Cyberwar, Israel seems to be able to play both, well. But most of the time, you don’t get to chose.

    In cyberwar, the United States civilians have to play defense (what the Government is doing, we cannot know). So we have to be good at it. All of us. The vendors, the sysadmins, the software engineers, and the end users.

    Unfortunately, most people don’t give a damm about computer security. As security elites, we have to convince them. It is going to be hard, but we have to do it.

  22. bookmarked!!, I rreally like your site!

  23. What if all of these “cyber” attacks are being orchestrated by our government to instill fear into Americans about having an open internet without any kind of regulations in order to push them towards passing a bill that would regulate what can and cannot be allowed on our internet?

    You can start by running back ground checks on the owner(s) of Mandate and its employees to see if they or their families may have any connections with the government.

    Never believe what you hear or read in the media.

    And, if you really want to know just how corrupt the government is, go here: or just put into your search engine: secret space program 2014
    https://www.youtube.com/results?search_query=secret+space+program+2014

  24. This hack application is running on Android
    and iOS platform and it doesn’t require root or jailbreak.

  25. This is an interesting page for all. It is the U.S. Health and Human Services Breach Portal “Breaches Affecting 500 or More Individuals” that goes back to 2009. A Wall of Shame… https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. So far this year, there have been 57 noted for a total of over 92M records where Premera Blue Cross and Anthem account for nearly 90M of them.

  26. However, the AH is available to legitimate free work from hkme data entry jobs
    (Brittny) to Play players onlty after buying the appropriate ability with Turbine Points in the LOTRO Store.
    It is free to list on Bonanza and youu only pay a commission to Bonanza when an item sells.
    Your interest for thee month will bbe compounded by simply
    following the same method of computation.

  27. Behind the Technology The torrent technology is operated by way of a
    torrent client sending pieces of the torrent file via
    a torrent protocol. See Also: Sync Blackberry With Different Applications.
    The reason for this is because fiber optic cables are made-up of conducting light
    material and for that reason transmit the light from the end to an alternative end.