Premera cyberattack: How an ancient state law makes our data vulnerable
Odds are good you got one of these letters from Premera Blue Cross, too. The Mountlake Terrace-based health insurer sent them out to 6 million subscriber accounts in Washington and another 5 million in Oregon and Alaska.
Mine’s dated March 17, though I didn’t receive it until last week, and it begins, “I am writing to inform you that Premera Blue Cross (‘Premera’) was the target of a sophisticated cyberattack, and that some of your personal information may have been accessed by the attackers.” As in name, date of birth, social security number, address, email, phone number, member ID, bank account info and medical details. Short of embarrassing photos from that college Wesson Oil party, what more could any snoop want?
In the letter, Premera CEO Jeffrey Roe goes on to express his heartfelt sympathy and solidarity: “We recognize this issue can be frustrating and we are taking steps to protect you.” And he offers the usual consolation from corporations whose security practices expose our intimate data to the cyber-thugs: two years of free credit monitoring and identity-theft insurance from Experian.
That’s not good enough for Washington Insurance Commissioner Mike Kreidler, who announced a week later that his office would lead a “multi-state investigation” of Premera’s “market conduct,” including but not limited to its security procedures. One question Kreidler wants answered: Why did Premera wait until March 17 to report a breach it became aware of on Jan. 29? “That didn’t go over well here,” says Steve Valandra, the deputy insurance commissioner for public affairs.
And why did eight months pass after what appears to be the biggest cyberattack in Washington history began before Premera noticed it? In November, the U.S. Office of Personnel Management (which takes an interest because Premera manages federal employee health benefits) released a stinging audit of Premera’s information systems. It scored the Mountlake Terrace-based insurer for maintaining insufficient password controls, inadequate physical security at its data center, using vulnerable outdated software, failing to establish and monitor approved configuration settings, and more.
All this makes a company that’s just gotten hacked a target-rich environment. And sure enough, the vultures are circling. At least one law firm has announced a class-action lawsuit on behalf of Premera subscribers. It seeks, among unspecified other remedies, lifelong rather than two-year credit and identity protection.
Nevertheless, Eric Earling, Premera’s vice president for public affairs, has answers to these troubling questions. He says his company didn’t report the attack for six weeks on the recommendation of the top cybersecurity firm it had already hired in the wake of attacks on other companies, Mandiant Security Consulting Services (motto: “Cyberattacks are inevitable. Being a headline is not.”). “We got some pretty specific advice that we should secure our systems first,” says Earling, “If you announce first, the attackers often take more malicious action in response.” He says the FBI, which is investigating the attack, concurred.
“We have no evidence that any information was removed from the system,” adds Earling, “and the FBI reports that none of it has been used.” He also says that eight months from breach to discovery is “pretty typical” in attacks like this, and that “Mandiant has taken a look and found that none of the findings in the federal audit report are related to the cyberattack.” Premera has already implemented some of the audit’s recommendations, he says, and it’s working on the others.
All this sounds quite reasonable, though one should never underestimate the arrogance and stupidity of large corporations in handling the information they demand of us. I remember when identity theft first became a cause célèbre, in the ’90s. Cigna, the financial behemoth managing my employer’s 401ks, would send us monthly paper statements with name, birthdate and social security number at the top of every page. I called up the chain to explain why this wasn’t such a good idea and I would hold them liable if I got dragged to identity-theft hell. Have you ever heard someone shrug over the phone?
As for Premera, another question had troubled me from the start: Why the heck was it still holding my data? I hadn’t been a subscriber since the 1980s or ’90s, when it was still plain vanilla Blue Cross of Washington and Alaska. As it turns out, the answer goes a ways toward excusing Premera and other insurers that still hold long-ago subscribers’ still-sensitive data.
I soon discovered why I was on the list: The accounts that got hacked went back to 2002, when Premera installed its current data systems; that’s why they numbered 11 million, many more than the current subscribers in Premera’s three-state territory. And it turns out Lifewise, which provided the workplace coverage I had later in that decade, is a Premera subsidiary.
But the questions remains: Why hold data years after it’s pertinent? According to the customer service rep I spoke to after I got the letter, Premera keeps accounts live for three years after they’re closed, in case any claims come in. After that, they’re off to the digital archives, never to be seen again — except by Russian gangsters, Chinese cyberspies, or whoever broke into those 11 million Premera accounts.
Purging obsolete files could substantially reduce the data lode available to attackers, not to mention saving insurers loads of server capacity and electricity. But even if they wanted to, Premera and other health insurers might not be able to do so without breaking state law.
"Washington doesn’t have a direct record retention law," says deputy insurance commissioner Valandra. "However, companies are required to keep records at least from exam to exam [conducted by the commissioner's office]. Since financial exams occur every five years, that is the minimum amount of time that records should be retained."
But one of the tersest sections of the Revised Code of Washington, RCW 48.05.280, reads in its entirety, “Every insurer shall keep full and adequate accounts and records of its assets, obligations, transactions, and affairs.” Not for X number of years but, in the absence of a pull date, indefinitely.
This law was adopted in 1947, when the Internet wasn’t even a glimmer in Alan Turing’s or John von Neumann’s eye. “It’s kind of a bizarre law, really outdated,” says Robert Solano, a health-insurance compliance analyst in the Office of the Insurance Commissioner. He's heard it discussed as an open-ended requirement, and as a candidate for revision in the next legislative session.
Earling says neither Premera nor, as far as he knows, anyone else in the industry is trying to get the state rule changed. “But I can say it’s definitely reasonable to look at laws and regulations on the books. You’re talking about laws and regulations written before there were sophisticated cyberattacks.”
Limiting how long businesses store our data, as well as what data they collect, won’t stop the attacks. But it would make us skinnier targets.