The cyberattack against Premera Blue Cross disclosed this week affects significantly fewer people than this year's Anthem hack, but the value of the information exposed could pose a bigger threat to the insurer.
Premera discovered in January that a May 2014 cyberattack breached a system holding 11 million people's records, the company announced on Tuesday. The records exposed may have included clinical and financial records, in addition to personal information like addresses and Social Security numbers. Anthem has said it believes the theft of data on nearly 80 million customers and employees was confined to the latter category.
Medical-record theft can be particularly costly for the victims. A February 2015 report from the Ponemon Institute surveying medical-identity theft victims found that about two-thirds said they had paid money to resolve the theft. Those patients paid an average of $13,500.
Patients may be able to seek damages for identity theft that occurs years after the free identity-theft protection the company is offering has ended, said Ken Dort, a partner in the law firm Drinker Biddle who specializes in information technology. The plaintiffs, however, would have to prove that the theft was linked to the Premera hack, which could be difficult.
Eric Earling, Premera's vice president of communications, said it's too early to say whether the breach will significantly affect Premera's bottom line. He declined to say whether Premera had a cybersecurity insurance policy. Anthem has said its cybersecurity policy would limit the damage to its financial results.
“We're in a position as a company even before any of this where we're successful as a business and we have strong reserves to provide for our customers,” Earling said.
Though Premera is offering customers two years of free credit-monitoring and identity-theft protection, that will do little to protect them against identity thieves who may wait a few years to use or sell the data. Plus, experts say, most credit-monitoring programs don't protect customers against the effects of medical-identity theft, which can be far more harmful.
When asked what Premera was doing to protect its members' clinical information from being used fraudulently, a Premera spokesman referred the inquiry to Experian, the company hired to provide credit-monitoring for affected customers.
An Experian spokeswoman said the product would track whether an individual's medical-record number or insurance card is used to purchase medical services that go unpaid because that would appear on an individual's credit report. Experian does not track changes in the medical record, and it does not monitor the use of information to make claims for medical services until those services go unpaid.
Changes to medical records caused by medical-identity theft can be particularly harmful to patients, Project Japan reported earlier this month. Fraudulent use can even be lethal if it means allergies or conditions aren't properly noted in the record.
Having an individual's personal, clinical and financial information gives identity thieves a more convincing profile, allowing them to engage in what's called “total identity theft,” said Pamela Dixon, executive director of the World Privacy Forum, a San Diego-based non-for-profit organization.
The trifecta of data accessed in this case is the “worst-case scenario," Dixon said. "The people who were exposed in this breach will have to be on guard for at least a decade."
The company says that it has no evidence that hackers actually removed data from its systems, only that the systems were breached. But Dixon said there are ways the attackers could have stolen data without a trace and that she wouldn't be surprised if they did given the length of time they had access.
Although companies are under pressure to be more proactive about data security, the number and size of recent breaches suggest it's increasingly likely consumers will have their information exposed at some point.
“You now have a situation where to be a reasonable consumer you almost need to sign up with one of the (credit protection) bureaus on a nonstop basis,” Dort said.
Follow Adam Rubenfire on Twitter: