Washington's senior senator is demanding answers from its largest health insurer on a data breach that could affect as many as 11 million people nationwide.

Sen. Patty Murray, the ranking Democrat on the Health, Education, Labor and Pensions Committee, released a letter Friday to the president of Premera Blue Cross on the cyber attack on the company's data systems which could have exposed personal information of its current and former customers. About 6 million are in Washington.

In a letter to Premera President Jeff Roe, Murray said she had serious concerns on the cyberattack "and the failure of the company to make this information public and begin notifying current and former policy  holders for over six weeks," The security breach reportedly occured last May, wasn't discovered until January and was reported this week. Another large health insurance carrier, Anthem, also recently acknowledged a security breach and the committee is investigation the health industry's preparedness for cyber threats.

Among the questions Murray said she wants answered by next Friday are when will the company notify all affected policy holders, how was the breach discovered, how were hackers able to breach the company's system and whether the attacks on Premera and Anthem are connected.

Here's the full text of the letter and the questions from Murray: 

Dear Mr. Roe:

I write to express my serious concern regarding the cyberattack on Premera Blue Cross and the failure of the company to make this information public and begin notifying current and former policy holders for over six weeks.  These failures are particularly troubling given the scope of the attack.  Not only did attackers access the personal information, such as names, birthdates, and Social Security numbers of millions of my constituents, they also potentially gained access to the personal health information and financial information of 11 million people, including 6 million current and former Washington state residents.  In addition, the confidential financial information of employers in my state, ranging from some of the largest companies with thousands of policy-holders to smaller organizations that are least able to bear the cost of the attack, was accessed. 

It is reported that the breach of Premera’s system was discovered on January 29, 2015, the same day as the breach of Anthem Incorporated’s system, and investigations have now demonstrated that both originated around the same time in May 2014.  As you know, unlike similar recent breaches affecting retail and financial service companies, the Health Insurance Portability and Accountability Act (HIPAA) requires that Premera provide notice without unreasonable delay and no later than 60 days after discovery of the breach.  I recently urged Anthem to accelerate the pace of notifying consumers as they have yet to reach more than 50 million of the nearly 80 million potentially impacted Americans.  And while I understand that both Anthem and Premera have worked closely with the Federal Bureau of Investigation and outside cyber security experts to investigate and address these attacks, I am very concerned by what led to Premera’s delay in making information about the breach public. 

I understand that Premera has now started to notify each of the affected individuals regarding the attack, and to offer two years of credit monitoring to those customers. I am glad that Premera is taking action on behalf of their customers. However, I remain concerned about the potential harm resulting from this enormous breach and what efforts that Premera will make to ensure that any harm is remedied. It is my hope that Premera can move with great speed and efficiency to ensure that my constituents receive prompt notice and information about the services that are being made available to them. 

At the beginning of the 114^th Congress, I joined U.S. Senate Health, Education, Labor, and Pensions Committee Chairman Lamar Alexander (R-TN) in a bipartisan oversight initiative to examine the health industry’s preparedness for cyberattacks, including looking at what steps are currently being taken to protect against cyberattacks, what the industry and government should be doing to better protect patients’ personal information, and what barriers exist to making those improvements. I hope Premera will assist us in this effort to mitigate the impact of future cyberattacks on America’s health infrastructure.

While I understand that this attack is creating serious challenges for you, I would like to receive answers to the following questions by Friday, March 27, 2015:

 

1. When will Premera complete efforts to notify the 11 million affected current and former policy holders?
2. Why did Premera not immediately disclose the breach to the Department of Health and Human Services’ Office of Civil Rights as required by HIPAA?
3. Why did Premera not immediately inform the 11 million current and former policy holders that their personal, financial and health records have potentially been compromised?
4. What steps will Experian now that it is retained by Premera take to help affected individuals not just monitor but repair credit if necessary?
5. What steps is Premera taking to assist Washington businesses that offer plans through Premera to address security risks arising from the breach?
6. What steps is Premera taking to reduce and protect against risks of cyber incursions at companies whose employees are insured through Premera?
7. What were the findings of outside security consultant Mandiant?
8. How was the breach discovered?
9. How were the attackers able to penetrate the entire Premera system?
10. Were the attacks on Premera and Anthem connected and which company was attacked first?
11. While Premera officials have stated that data was not moved off the Premera system can you be certain that data that was accessed cannot be used for malicious purposes?
12. Please explain how Premera uses the National Institute of Standards and Technology health care cyber security framework to implement and evaluate its cyber security.
13. Why did Premera opt not to be certified by the Health Information Trust Alliance (HITRUST) and in what ways did Premera’s systems fail to meet the requirements for HITRUST certification?
14. What steps did Premera take to improve cyber security to address issues raised in the 2014 audit by the Office of Personnel Management?
15. What additional steps will Premera be taking to improve security going forward?

 

I hope that you will make yourself available to better explain the scope of the attack, update me and my office throughout the process on how and in what manner you are ensuring Washington state families and employers get the assistance they need going forward to protect themselves and what you are doing to prevent future attacks of this nature.

Patty Murray

Ranking Member

 

Cc: Senator Lamar Alexander, Chairman

 

---

---