In March 2015, Primera Blue Cross in Washington State ( premera.com ) was victim

Question

In March 2015, Primera Blue Cross in Washington State (premera.com) was victim of a cyberattack where 11 million customers were affected. Hackers were able to penetrate the system on May 5, 2014 but it was not discovered until January 29, 2015. Sensitive data like SSN, DOB, email address and other account information was compromised.

Here are a couple of links with some information about the incident.
http://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/ 

https://www.premera.com/wa/visitor/about-the-cyberattack/?WT.z_redirect=www.premera.com/cyberattack/

Prepare a report that covers following:

Explain the background details about the organization and the nature of the attack or crime that occurred.

Analyze and describe details regarding the impact of the attack or crime to include financial losses, number of individuals affected, and the effect on the reputation of the organization.

Analyze the organization’s incident response and whether or not the incident was handled in an appropriate manner.

Your report should be two to three pages in length 

Explanation / Answer

Premera Blue Cross

About Premera Blue Cross Organisation :

Premera Blue cross organization founded on May 5, 1945.It is a nonprofit Blue Cross Blue Shield licensed health insurance company based in Mountlake Terrace, Washington, United States. It sells health insurance plans under the Blue Cross license in Washington state except Clark County and under both of the Blue Cross and Blue Shield licenses in Alaska. It also has affiliate health insurance operations in Washington and Oregon under the LifeWise brand.

The company provides health insurance and related services to approximately 2 million people. Premera Blue Cross has operated in Washington since 1933, and in Alaska since 1957. Premera Blue Cross is an independent licensee of the Blue Cross Blue Shield Association.

About the organization products :

About the Cyber Attack :

On January 29, 2015, Premera discovered that cyber attackers had executed a sophisticated attack to gain unauthorized access to the Information Technology (IT) systems.Investigation further revealed that the initial attack occurred on May 5, 2014. As part of investigation, FBI are coordinating with the Bureau's investigation into this attack.

The organization people worked closely with Mandiant, one of the world's leading cybersecurity firms, to conduct the investigation and to remove the infection created by the attack on the IT systems. Along with steps took to cleanse the IT system of issues raised by this cyberattack, Premera is taking additional actions to strengthen and enhance the security of our IT systems moving forward.

This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the affiliate brands, Vivacity and Connexion Insurance Solutions, Inc. Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

Some individuals that have done business with the organization and provided them with their email address, personal bank account number or social security number were also affected. The investigation has not determined that any such data was removed from the systems.

Premera has been the target of a sophisticated cyberattack that gained unauthorized access to the IT systems .Investigation has not determined that any data was removed from the systems. To date there is no evidence that any data has been used inappropriately. The security of the members' personal information is a top priority, and the organization took proactive steps to address this issue.

Impact of the attack :

Investigation determined that attackers may have gained unauthorized access to personal information, but the organization have not determined that any information was removed from the system.The information that may have been accessed could include name, address, email address, telephone number, date of birth, Social Security number, member identification number, medical claims information and in some cases, bank account information. Premera does not store credit card information for members, so your credit card information is not affected by this attack. Our investigation has not determined that any information was removed from the systems and there is no evidence to date that any such information has been used inappropriately.

This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the affiliate brands, Vivacity and Connexion Insurance Solutions, Inc.

Data was encrypted, but the attackers gained unauthorized access to the systems, therefore allowing them to potentially access personal information.

About financial losses , reputation of the organization and how the organisation handled the incident :

The health care provider said that they are working with security firm Mandiant and the FBI in the investigation. Mandiant specializes in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.

An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation.”

“Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.

There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.

On Feb. 9, 2015, KrebsOnSecurity carried an exclusive story pointing to clues in the Anthem breach which suggested that the attackers blamed for that breach — a Chinese state-sponsored hacking group known variously as “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew” — began chipping away at Anthem’s defenses in late April 2014. The evidence revolved around an Internet address that researchers had tied to Deep Panda hacking activity, and that address was used to host a site called we11point.com (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).

As that story noted, Arlington, Va. based security firm ThreatConnect Inc. tied that Wellpoint look-alike domain to a series of targeted attacks launched in May 2014 that appeared designed to trick Wellpoint employees into downloading malicious software tied to the Deep Panda hacking gang.

On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.