BOSTON (Reuters) - Health insurer Premera Blue Cross said on Tuesday it was a victim of a cyberattack that may have exposed medical data and financial information of 11 million customers in the latest serious breach disclosed by a healthcare company.
It said the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014.
It is the largest breach reported to date involving patient medical information, according to Dave Kennedy, an expert in healthcare security who is chief executive of TrustedSEC LLC.
About 6 million of the people whose accounts were accessed are residents of Washington state, where customers include employees of Amazon.com Inc (AMZN.O), Microsoft Corp (MSFT.O) and Starbucks Corp (SBUX.O), according to Premera. The rest are scattered across every state in the United States.
The breach at Anthem and another large one disclosed last year by hospital operator Community Health Systems Inc (CYH.N) involved larger numbers of records than the attack on Premera. Yet those companies said they believed the attackers did not access medical information.
Medical records are highly valuable on underground criminal exchanges where stolen data is sold because the information is not only highly confidential, it can also be used to engage in insurance fraud.
“Medical records paint a really personal picture of somebody’s life and medical procedures,” Kennedy said. “They allow you to perpetrate really in-depth medical fraud.”
The insurer said it has so far uncovered no evidence to show that member data was “used inappropriately.”
The breach was uncovered on Jan. 29, the day that insurer Anthem Inc (ANTM.N) disclosed a cyber attack involving records of some 79 million members in Blue Cross Blue Shield plans across the country.
Premera spokesman Eric Earling said the two attacks were unrelated and that his company independently identified its breach.
Still, experts expect that other healthcare companies will uncover that they have been breached as the latest attack prompts them to look for intrusions.
“I think other insurance providers are compromised today and we still don’t know it. More and more are going to disclose attacks,” Kennedy said.
Premera hired FireEye Inc (FEYE.O) to investigate the matter and is also working with the FBI.
The attack affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliated brands Vivacity and Connexion Insurance Solutions.
Reporting by Jim Finkle; Editing by Dan Grebler