OLYMPIA – Washington insurance officials will lead a multistate investigation into how computer hackers were able to breach the security of the state’s largest health insurance company and whether Premera Blue Cross took the proper steps to notify some 11 million customers after it was discovered.
State Insurance Commissioner Mike Kreidler said Tuesday that Alaska and Oregon will join in the market conduct examination of the security breach Premera discovered on Jan. 29. State officials were notified last week.
After data breaches at Premera and another major insurance company, Anthem, “we will use every resource within our authority to ensure that consumers are protected and to see that insurers are responding appropriately,” Kreidler said.
Eric Earling, vice president of communications for Premera, said the company looks forward to working with Kreidler’s office and the other states in the investigation while it provides identity theft protection for current and former customers.
“There’s no evidence that information has been removed from our system,” Earling said.
The company is sending letters to customers at a rate of about 500,000 a day and as of Tuesday some 88,000 customers had taken advantage of the two years of free identity theft protection it was offering, he said.
Kreidler’s office was critical of the six-week delay in reporting the breach to insurance regulators.
“They could have just come to the commissioner and said this had happened, and we could have kept it confidential,” said Steve Valandra, deputy commissioner for public affairs. “A lot can happen in six weeks.”
State and federal laws require prompt customer notification when a business has a data breach, but set different standards. Premera was within the federal guidelines set in the Health Insurance Portability and Accountability Act. Personal identification data, such as names, dates of birth and Social Security numbers are protected under the act, commonly known as HIPAA, as is information about medical conditions and treatment.
HIPAA requires notification within 60 days of discovery of a data breach. Premera’s notification of Kreidler’s office and the subsequent announcement and the letters to customers fall within that timeline.
But state law says a business shall notify a person or business of a security breach that exposes their information “immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” State law allows a delay of that notification “if a law enforcement agency determines that the notification will impede a criminal investigation.”
Although the FBI is investigating the Premera breach, Earling said the federal agency did not ask the company to delay notification. Instead, the company had “very strong advice” from its private cybersecurity consultant, Mandiant, to delay release to prevent the hackers from doing damage and making threats to businesses with data in the Premera system. During the delay, Mandiant improved Premera’s security and cleansed its system of malware that had been implanted.
The market conduct examination is a common process to examine how an insurance company is responding to consumers, Valandra said. Washington is taking the lead because Premera’s headquarters is here, as are 6 million of the current and former customers. Another multistate examination is being conducted for Anthem, another major insurance company that had a security breach early this year.
Investigators don’t have subpoena power, but can have access to confidential information, which wouldn’t be revealed in what Valandra described as a generalized report.
“There will be some explanation of what happened,” he said.
Congress, meanwhile, is looking for answers in the wake of the Premera and Anthem security breaches. Sen. Patty Murray, D-Wash., who last week demanded answers from Premera President Jeff Roe on the cause of the breach and the steps being taken to protect patient information, said Tuesday she was pleased the market conduct exam was underway.
“It is critical that families’ personal information be safe and secure,” she said in a statement released by staff.
Local journalism is essential.
Give directly to The Spokesman-Review's Northwest Passages community forums series -- which helps to offset the costs of several reporter and editor positions at the newspaper -- by using the easy options below. Gifts processed in this system are not tax deductible, but are predominately used to help meet the local financial requirements needed to receive national matching-grant funds.
Subscribe to the Coronavirus newsletter
Get the day’s latest Coronavirus news delivered to your inbox by subscribing to our newsletter.