Anatomy of a Breach

Anatomy of a Breach: Premera Blue Cross — 11 Million Records and the APT Campaign Against US Healthcare

> series: anatomy_of_a_breach —— part: 075 —— target: premera_blue_cross —— records: 11,000,000 —— clinical_data: yes<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2015 11 min read
data-breach premera healthcare 11-million apt clinical-data health-records series
Breach #075

Anthem was not an isolated incident. The entire healthcare sector was under attack.

On 17 March 2015 — barely six weeks after Anthem's 78.8-million-record disclosurePremera Blue Cross announced that attackers had gained access to its systems in May 2014 and stolen the personal and medical data of approximately 11 million customers. Unlike Anthem, the Premera breach included clinical information — medical claims data, clinical information, and treatment records — in addition to the standard personal identifiers (names, Social Security numbers, dates of birth, bank account details, and email addresses).

The Premera breach shared characteristics with the Anthem attack — the FBI had issued a specific warning to the healthcare sector about Chinese APT activity targeting health insurers. The back-to-back disclosure of Anthem and Premera established that the US healthcare sector was under sustained, coordinated attack by sophisticated adversaries targeting health data at scale. For UK healthcare organisations, the message was clear: if the world's largest health insurers could not protect their data, no healthcare organisation could afford to assume it was safe.

Clinical Data Stolen
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Not just names and numbers — medical records too.

The inclusion of clinical data in the Premera breach made it particularly sensitive. Medical claims data — records of treatments, diagnoses, prescriptions, and conditions — is among the most intimate information an organisation can hold. Its exposure enables medical identity fraud (filing false insurance claims using stolen identities), blackmail (threatening to reveal sensitive diagnoses), and discrimination (employers or insurers using leaked health information against individuals).

Clinical Data Cannot Be Changed
Unlike a credit card (which can be reissued) or a password (which can be reset), medical history cannot be changed. Once stolen, it is permanently compromised. This permanence makes healthcare data theft uniquely damaging and is why our <a href="/blog/sector-under-the-microscope-healthcare">healthcare sector analysis</a> identifies it as requiring the highest level of protection.
Nine Months Before Detection
The attackers gained access in May 2014 but the breach was not disclosed until March 2015 — nine months of undetected access. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> provides the continuous monitoring that reduces dwell time from months to hours.
Coordinated APT Campaign
The FBI's warning to healthcare providers, combined with the Anthem and Premera breaches, established that a coordinated APT campaign was targeting the US healthcare sector. For UK healthcare organisations, <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> provides awareness of campaigns targeting the sector.
Healthcare Compliance Is Not Security
Premera was compliant with healthcare data protection requirements — yet was breached for nine months. As with <a href="/blog/anatomy-of-a-breach-global-payments">Global Payments'</a> PCI compliance, regulatory compliance is a baseline, not a guarantee. <a href="/penetration-testing">Penetration testing</a> validates real-world security beyond compliance checkboxes.
Defence

Healthcare security requires more than compliance.

The Anthem-Premera one-two proved that compliance-driven security is insufficient against determined adversaries. UK healthcare organisations subject to the DSPT, UK GDPR, and Cyber Essentials must go beyond compliance checkboxes to implement tested, monitored, continuously validated security controls. Our penetration testing identifies the gaps. SOC in a Box for Healthcare monitors continuously. And UK Cyber Defence provides incident response when healthcare data is targeted.

Healthcare Defence

Anthem. Premera. The NHS. Healthcare is under sustained attack. Is yours defended?

Our <a href="/penetration-testing">penetration testing</a> goes beyond compliance. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> monitors 24/7. <a href="/cyber-essentials">Cyber Essentials</a> establishes the baseline.

Commission a Healthcare Assessment Next: GitHub Great Cannon
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2015

Anatomy of a Breach: Anthem — 78.8 Million Health Records and the Largest Healthcare Breach in History

Breach #074. In February 2015, Anthem Inc. — the second-largest health insurer in the United States — disclosed that attackers had stolen the personal information of 78.8 million current and former members and employees. The stolen data included names, dates of birth, Social Security numbers, medical ID numbers, addresses, email addresses, and employment information. The breach was attributed to a Chinese state-sponsored group (Deep Panda/APT19) and was the largest healthcare data breach in history. Anthem ultimately paid $115 million in the largest data breach class action settlement at the time.

data-breach anthem
13 min read
Anatomy of a Breach 31 July 2018

Anatomy of a Breach: SingHealth — 1.5 Million Patients Including a Prime Minister Targeted by Nation-State Attackers

Breach #115. In July 2018, Singapore disclosed that its largest healthcare group — SingHealth — had been breached by a sophisticated threat actor, compromising the personal data of 1.5 million patients and the outpatient prescription data of 160,000 patients — including Prime Minister Lee Hsien Loong, who appeared to have been specifically targeted. The attack, attributed to a nation-state actor, exploited vulnerabilities in SingHealth's IT infrastructure over a period of months. The breach confirmed that healthcare systems worldwide are APT targets — not just for data theft but for intelligence on political leaders.

data-breach singhealth
12 min read
Anatomy of a Breach 31 May 2015

Anatomy of a Breach: US Office of Personnel Management — 21.5 Million Security Clearances Stolen by China

Breach #077. In June 2015, the US Office of Personnel Management disclosed two related breaches that compromised the records of 21.5 million current and former federal employees and contractors — including 5.6 million fingerprint records and detailed security clearance investigation files (SF-86 forms) containing information about finances, foreign contacts, mental health, drug use, and personal relationships. Attributed to Chinese state-sponsored hackers, the OPM breach was described as the most damaging theft of intelligence data in US history — a treasure trove for foreign intelligence services.

data-breach opm
14 min read
All Posts Get in Touch