Feds warned Premera about security flaws before breach

  • By Mike Baker The Seattle Times
  • Thursday, March 19, 2015 8:58am
  • Business

SEATTLE — Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network security procedures were inadequate.

Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings on April 18 last year, according to federal records.

The company disclosed Tuesday that a breach occurred on May 5, potentially exposing Social Security numbers, addresses, bank-account information, medical information and more for 11 million customers.

ADVERTISEMENT
0 seconds of 0 secondsVolume 0%
Press shift question mark to access a list of keyboard shortcuts
00:00
00:00
00:00
 

Premera didn’t respond to the audit findings until June 30 and said at the time it had made some changes and planned to implement others before the end of 2014. The company, based in Mountlake Terrace, said it didn’t discover the breach until January of this year and didn’t disclose it until this week so it could secure its information technology systems first.

Premera spokesman Eric Earling said the audit, conducted by the U.S. Office of Personnel Management, was routine. He said the company worked to address the issues raised and that the vulnerabilities described in the audit may not have been exploited by the hackers.

“We believe the questions OPM raised in their routine audit are separate from this sophisticated cyberattack,” Earling said. He declined to discuss details of the hack, citing an ongoing FBI investigation.

In one part of the technology audit, federal officials conducted vulnerability scans and found that Premera wasn’t implementing critical patches and other software updates in a timely manner.

“Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,” the auditors wrote.

Premera responded to the auditors by saying it would start using procedures to properly update its software. But the company told the audit team that it felt it was in compliance when it came to managing “critical security patches.”

The auditors responded that the vulnerability scans indicated the company was not in compliance with that aspect. They suggested that the company provide evidence that it had implemented the recommendation, although the documents don’t say whether that occurred.

The auditors also found that several servers contained software applications so old that they were no longer supported by the vendor and had known security problems, that servers contained “insecure configurations” that could grant hackers access to sensitive information, and that the company needed better physical controls to prevent unauthorized access to its data center.

Federal auditors examined Premera because it is one of the insurance carriers that participates in the Federal Employees Health Benefits Program. Auditors examined applications used to manage claims from federal workers, but also the company’s larger IT infrastructure.

Susan Ruge, associate counsel to the inspector general at the Office of Personnel Management, said the office is monitoring the situation at Premera, but hasn’t determined whether the data breach will lead to any unplanned audit work at the company.

Premera Blue Cross is the largest health-insurance provider in Washington state based on enrollment, and it has more than 6 million current and former customers in the state who could be affected by the breach. The company said the hackers may have gained access to customer information dating back as far as 2002.

The company is beginning to mail letters to the approximately 11 million affected customers in Washington and elsewhere.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

A closing sign hangs above the entrance of the Big Lots at Evergreen and Madison on Monday, July 22, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Big Lots announces it will shutter Everett and Lynnwood stores

The Marysville store will remain open for now. The retailer reported declining sales in the first quarter of the year.

George Montemor poses for a photo in front of his office in Lynnwood, Washington on Tuesday, July 30, 2024.  (Annie Barker / The Herald)
Despite high mortgage rates, Snohomish County home market still competitive

Snohomish County homes priced from $550K to $850K are pulling in multiple offers and selling quickly.

Henry M. Jackson High School’s robotic team, Jack in the Bot, shake hands at the 2024 Indiana Robotics Invitational.(Henry M. Jackson High School)
Mill Creek robotics team — Jack in the Bot — wins big

Henry M. Jackson High School students took first place at the Indiana Robotic Invitational for the second year in a row.

The computer science and robotics and artificial intelligence department faculty includes (left to right) faculty department head Allison Obourn; Dean Carey Schroyer; Ishaani Priyadarshini; ROBAI department head Sirine Maalej and Charlene Lugli. PHOTO: Arutyun Sargsyan / Edmonds College.
Edmonds College to offer 2 new four-year degree programs

The college is accepting applications for bachelor programs in computer science as well as robotics and artificial intelligence.

FILE — Boeing 737 MAX8 airplanes on the assembly line at the Boeing plant in Renton, Wash., on March 27, 2019. Boeing said on Wednesday, Feb. 21, 2024, that it was shaking up the leadership in its commercial airplanes unit after a harrowing incident last month during which a piece fell off a 737 Max 9 jet in flight. (Ruth Fremson/The New York Times)
Federal judge rejects Boeing’s guilty plea related to 737 Max crashes

The plea agreement included a fine of up to $487 million and three years of probation.

Neetha Hsu practices a command with Marley, left, and Andie Holsten practices with Oshie, right, during a puppy training class at The Everett Zoom Room in Everett, Washington on Wednesday, July 3, 2024. (Annie Barker / The Herald)
Tricks of the trade: New Everett dog training gym is a people-pleaser

Everett Zoom Room offers training for puppies, dogs and their owners: “We don’t train dogs, we train the people who love them.”

Andy Bronson/ The Herald 

Everett mayor Ray Stephenson looks over the city on Tuesday, Jan. 5, 2015 in Everett, Wa. Stephanson sees  Utah’s “housing first” model – dealing with homelessness first before tackling related issues – is one Everett and Snohomish County should adopt.

Local:issuesStephanson

Shot on: 1/5/16
Economic Alliance taps former Everett mayor as CEO

Ray Stephanson will serve as the interim leader of the Snohomish County group.

Molbak's Garden + Home in Woodinville, Washington will close on Jan. 28. (Photo courtesy of Molbak's)
After tumultuous year, Molbak’s is being demolished in Woodinville

The beloved garden store closed in January. And a fundraising initiative to revitalize the space fell short.

Everett Mayor Cassie Franklin, Advanced Manufacturing Skills Center executive director Larry Cluphf, Boeing Director of manufacturing and safety Cameron Myers, Edmonds College President Amit Singh, U.S. Rep. Rick Larsen, and Snohomish County Executive Dave Somers participate in a ribbon-cutting ceremony on Tuesday, July 2 celebrating the opening of a new fuselage training lab at Paine Field. Credit: Arutyun Sargsyan / Edmonds College
‘Magic happens’: Paine Field aerospace center dedicates new hands-on lab

Last month, Edmonds College officials cut the ribbon on a new training lab — a section of a 12-ton Boeing 767 tanker.

Gov. Jay Inslee presents CEO Fredrik Hellstrom with the Swedish flag during a grand opening ceremony for Sweden-based Echandia on Tuesday, July 30, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Swedish battery maker opens first U.S. facility in Marysville

Echandia’s marine battery systems power everything from tug boats to passenger and car ferries.

Helion Energy CEO and co-founder David Kirtley talks to Governor Jay Inslee about Trenta, Helion’s 6th fusion prototype, during a tour of their facility on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
State grants Everett-based Helion a fusion energy license

The permit allows Helion to use radioactive materials to operate the company’s fusion generator.

People walk past the new J.sweets storefront in Alderwood Mall on Thursday, July 25, 2024, in Lynnwood, Washington. (Olivia Vanni / The Herald)
New Japanese-style sweets shop to open in Lynnwood

J. Sweets, offering traditional Japanese and western style treats opens, could open by early August at the Alderwood mall.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.

You're browsing in private mode.
Please sign in or subscribe to continue reading articles in this mode.

The Daily Herald relies on subscription revenue to provide local content for our readers.

Subscribe

Already a subscriber? Please sign in