Cyberattack may have impacted personal information of 6 million current and former Washington state residents
Murray expresses concern over Premera’s delay in informing those impacted
(Washington, D.C.) – Today, U.S. Senator Patty Murray (D-WA), Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee wrote a letter to Premera Blue Cross demanding answers following a security breach that left the personal information, and potentially the health and financial information, of 11 million people, including 6 million current and former Washington state residents, vulnerable to attackers. In the letter, Murray questioned Premera President Jeff Roe on the company’s failure to immediately inform the 11 million current and former policy holders that their information may have been compromised. She also asked about the company’s plans to help those impacted get the assistance they need and what the company is doing to prevent future cyberattacks of this nature.
“I write to express my serious concern regarding the cyberattack on Premera Blue Cross and the failure of the company to make this information public and begin notifying current and former policy holders for over six weeks,” Senator Murray wrote in the letter. “These failures are particularly troubling given the scope of the attack…I hope that you will make yourself available to better explain the scope of the attack, update me and my office throughout the process on how and in what manner you are ensuring Washington state families and employers get the assistance they need going forward to protect themselves and what you are doing to prevent future attacks of this nature.”
Last month, along with HELP Committee Chairman Lamar Alexander (R-TN), Murray announced an ongoing, bipartisan HELP Committee oversight initiative to examine the security of health information technology and the health industry’s preparedness for cyber threats.
Full text of the letter:
Dear Mr. Roe:
I write to express my serious concern regarding the cyberattack on Premera Blue Cross and the failure of the company to make this information public and begin notifying current and former policy holders for over six weeks. These failures are particularly troubling given the scope of the attack. Not only did attackers access the personal information, such as names, birthdates, and Social Security numbers of millions of my constituents, they also potentially gained access to the personal health information and financial information of 11 million people, including 6 million current and former Washington state residents. In addition, the confidential financial information of employers in my state, ranging from some of the largest companies with thousands of policy-holders to smaller organizations that are least able to bear the cost of the attack, was accessed.
It is reported that the breach of Premera’s system was discovered on January 29, 2015, the same day as the breach of Anthem Incorporated’s system, and investigations have now demonstrated that both originated around the same time in May 2014. As you know, unlike similar recent breaches affecting retail and financial service companies, the Health Insurance Portability and Accountability Act (HIPAA) requires that Premera provide notice without unreasonable delay and no later than 60 days after discovery of the breach. I recently urged Anthem to accelerate the pace of notifying consumers as they have yet to reach more than 50 million of the nearly 80 million potentially impacted Americans. And while I understand that both Anthem and Premera have worked closely with the Federal Bureau of Investigation and outside cyber security experts to investigate and address these attacks, I am very concerned by what led to Premera’s delay in making information about the breach public.
I understand that Premera has now started to notify each of the affected individuals regarding the attack, and to offer two years of credit monitoring to those customers. I am glad that Premera is taking action on behalf of their customers. However, I remain concerned about the potential harm resulting from this enormous breach and what efforts that Premera will make to ensure that any harm is remedied. It is my hope that Premera can move with great speed and efficiency to ensure that my constituents receive prompt notice and information about the services that are being made available to them.
At the beginning of the 114th Congress, I joined U.S. Senate Health, Education, Labor, and Pensions Committee Chairman Lamar Alexander (R-TN) in a bipartisan oversight initiative to examine the health industry’s preparedness for cyberattacks, including looking at what steps are currently being taken to protect against cyberattacks, what the industry and government should be doing to better protect patients’ personal information, and what barriers exist to making those improvements. I hope Premera will assist us in this effort to mitigate the impact of future cyberattacks on America’s health infrastructure.
While I understand that this attack is creating serious challenges for you, I would like to receive answers to the following questions by Friday, March 27, 2015:
I hope that you will make yourself available to better explain the scope of the attack, update me and my office throughout the process on how and in what manner you are ensuring Washington state families and employers get the assistance they need going forward to protect themselves and what you are doing to prevent future attacks of this nature.
Cc: Senator Lamar Alexander, Chairman