Premera responds to Sen. Patty Murray’s “strong concern”

After learning of the data breach that led to the theft of personal information from 11 million Premera customers, Senator Patty Murray (D-WA) posed  a series of pointed questions in a letter to Premera President Jeff Roe. Her questions focused on how the data breach occurred and why it took Premera over six weeks to notify those affected as well as the general public.

Roe recently responded to the Senator’s questions, detailing how the breach was discovered, the timeline of the public announcement, the status of notifying affected individuals and the steps being taken to reconcile those individuals while preventing future intrusions. The response provided important context to the actions, or lack of action, that triggered the concern of Senator Murray.

Of particular importance to Senator Murray was the reasons for the delay in notifying affected members and the general public. Premera addressed this directly, citing recommendations from their cyber security consultant Mandiant. Premera’s paramount task in the immediate aftermath of the discovery was identifying the scope of the vulnerability, addressing the breach, and ensuring the rest of the network is secure. Roe noted that notifying the public before these tasks were completed would open Premera and its members to additional harm. In his response, Roe specified the risks of premature notification:

…the reason that these steps were necessary is that any public announcement would also alert the attackers themselves, and that the attackers could have then taken any of the following steps before they lost access to the network: downloading sensitive information from the network; corrupting data; disrupting network service; and creating new vulnerabilities and further embedding themselves in the system, making it even more difficult to eradicate the attackers and prolonging their access to sensitive information.

At the time of Roe’s response, over half of affected members had been notified and he anticipated Premera would complete the notifications by the end of March, which is within the timeline required by federal law.

Roe also stated that the cyber attack did not affect other businesses and organizations interacting with Premera, and that no evidence of data being removed has been found. However, Premera has taken action to provide affected individuals with credit monitoring and identity protection services in the event personal data was accessed and used maliciously.

While it is unclear whether or not Premera’s response to the cyber attack will satisfy the Senator’s concerns, it may not be the most significant concern for Premera moving forward. In addition to a multi-state investigation into the breach, a class-action lawsuit has been filed against the Premera for unspecified damages.