The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
55°F
Current Conditions
Clear sky
View complete weather report
Subscribe now

Premera warned by feds about security flaws before breach

Seattle Times

SEATTLE – Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network security procedures were inadequate.

Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings on April 18 last year, according to federal records.

The company disclosed Tuesday that a breach occurred on May 5, potentially exposing Social Security numbers, addresses, bank-account information, medical information and more for 11 million customers.

Premera didn’t respond to the audit findings until June 30 and said at the time it had made some changes and planned to implement others before the end of 2014. The company, based in Mountlake Terrace, said it didn’t discover the breach until January of this year and didn’t disclose it until this week so it could secure its information technology systems first.

Premera spokesman Eric Earling said the audit, conducted by the U.S. Office of Personnel Management, was routine. He said the company worked to address the issues raised and that the vulnerabilities described in the audit may not have been exploited by the hackers.

“We believe the questions OPM raised in their routine audit are separate from this sophisticated cyberattack,” Earling said. He declined to discuss details of the hack, citing an ongoing FBI investigation.In one part of the technology audit, federal officials conducted vulnerability scans and found that Premera wasn’t implementing critical patches and other software updates in a timely manner.

Premera responded to the auditors by saying it would start using procedures to properly update its software. But the company told the audit team that it felt it was in compliance when it came to managing “critical security patches.”

The auditors responded that the vulnerability scans indicated the company was not in compliance with that aspect. They suggested that the company provide evidence that it had implemented the recommendation, although the documents don’t say whether that occurred.

The auditors also found that several servers contained software applications so old that they were no longer supported by the vendor and had known security problems, that servers contained “insecure configurations” that could grant hackers access to sensitive information, and that the company needed better physical controls to prevent unauthorized access to its data center.