Washington State’s insurance commissioner has opened up a multi-state investigationinto Washington’s largest insurance carrier, Premera Blue Cross, after a data breach left 11 million customers’ private information exposed to hackers.
Premera says it found out about the hack on January 29, and the company disclosed it publicly on March 17. So the first thing Insurance Commissioner Mike Kreidler wants to know is, what took so long?
“Why did it take six weeks before you notified the primary regulator? I want to know why we didn’t know earlier, so that we can make sure that everything that can be done is being done to protect the consumer’s interest,” Kreidler said in an interview.
Premera spokesman Eric Earling said the company did notify the FBI sooner, on February 20th, three weeks after the breach was discovered. He added that it was important to patch up the vulnerability before going public.
“We received some pretty strong advice from experts that if an announcement is made before IT systems are secured, those attackers will engage in more malicious activity,” Earling said.
More than six million of the affected customers are current or former Washington State residents. Hackers may have had access to their names, addresses, social security numbers, bank information and even clinical information, according to Kreidler’s office.
Kreidler is investigating the breach, along with authorities in Alaska and Oregon. He wants the company to explain how the attack happened and what they’ve done to prevent future hacks. Washington U.S. Sen. Patty Murray, the ranking member on the Senate Health, Education, Labor and Pensions Committee, is also pressing Premera for answerson the nature of the attack and what corrective action has been taken.
Premera says there’s no evidence that customers’ data was actually stolen. The company is notifying affected customers by mail. As of Monday, Premera had sent out notifications to about 1.75 million customers, a spokeswoman said, and is continuing to mail about 500,000 a day. Anyone who believes he or she was affected can sign up for two years of free credit monitoring.
