The health insurer Premera Blue Cross announced on Tuesday it was the victim of a “sophisticated” cyberattack that could potentially impact at least 11 million people.
The Pacific Northwest-based company said it became aware of a network intrusion dating back to May of last year, but did not discover the breach until late January.
Premera said the compromise could have exposed sensitive customer data, including claims, clinical information, banking account numbers and social security numbers, as well as birth dates, mailing and email addresses, and phone numbers.
The data breach affects users of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and Vivacity and Connexion Insurance Solutions.
The company is currently working with the FBI and a cybersecurity firm to further investigate the cause of the attack.
Earlier this year, a similar incident hit Anthem, the second largest insurer in the United States, which affected nearly 80 million customers. Additionally, about 19 million non-customers were impacted by the breach.
“When the Anthem breach hit, many in the security industry were well aware [the company] was not alone,” said Tripwire Senior Security Analyst Ken Westin.
“Organized criminal syndicates targeting this type of data don’t target one organization—they target an entire industry.”
Westin explained it is not uncommon for many of the vulnerabilities or security lapses found in one organization to appear in multiple organizations within the same industry.
“The fact that the breach went undiscovered for seven months indicated that the institution likely did not have proper detective controls in place to identify an attacker was inside the network,” said Westin.
Consumers affected by the breach will be provided two years of free credit monitoring, as well as identity protection services.
Premera currently serves millions of customers across Washington, Oregon and Alaska, among other states.