Skip to content Skip to navigation

Report Indicates Premera Knew of Vulnerabilities Before Breach

March 19, 2015
by Gabriel Perna
| Reprints

A government agency warned health insurer Premera that its data protection practices were not up to industry standards right before it was victimized by a major cyber attack.

The report, from the U.S. Office of Personnel Management's Office of the Inspector General, was released on Apr. 17, 2014. One month later, Premera was a victim of a cyber attack that affected up to 11 million of its customers, the Mountlake Terrace, Wash.-based company revealed this week. The company had discovered the breach in late January.

The report details Premera’s lack of thorough network security controls, saying the company’s patches were not being implemented in a timely manner and there had been no methodology to ensure unsupported out-of-date software is not utilized; and it had an insecure server configuration. Importantly, the authors said that its vulnerability scan revealed that several servers contained insecure configurations that could allow hackers access to sensitive information. Premera promised to “remediate” that last one by the end of 2014.

Furthermore, the authors of the report noted the physical access controls to the Premera’s data center could have been improved and lack of compliance with its password policy. It also said that Premera’s disaster recovery testing planning methods could be improved, which the insurer disagreed with in its response.

In an interview with The Seattle Times, a spokesperson for the company said the concerns outlined in the audit and the hack were separate issues.

Premera is the second major payer to be the victim of a cyber attack. Anthem, a large Indianapolis-based payer, suffered a massive hack of its IT systems in February that exposed the personal data of approximately 80 million customers.



OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.

Kansas Health Information Network Expands its Network across State Lines

The Kansas Health Information Network (KHIN) has announced that it is expanding its horizons, and is now connected to Health Information Exchange Texas (HIETexas).

CMS Selects Vendor to Modernize Critical Identity Infrastructure

The Centers for Medicare & Medicaid Services (CMS) last week announced it had selected San Francisco-based vendor Okta to enhance the security of its information systems.

Mayo Clinic, ASU Partner for Medical Education, Healthcare Innovation

The Mayo Clinic and Arizona State University have announced a partnership centered on transforming medical education and healthcare in the U.S. through a variety of innovation efforts.

CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.