Premera/Blue Cross, one of the largest health insurance companies based in Washington state, disclosed Tuesday that it was victim of a cybersecurity breach affecting 11 million customers and possibly exposing names, Social Security numbers, birthdates, bank account information, email addresses, and a series of other personal identifiers and information.
The Mountlake Terrace-based company was hit in May of last year, but the breach was not uncovered until January 29, Attorney General Bob Ferguson announced in a news release Tuesday afternoon. The Seattle Times reported 6 million customers in Washington are affected.
The company is now giving customers two years’ worth of credit monitoring, restoration services for identity theft, and identity insurance. It’s working with the FBI and a cybersecurity firm to learn more about the breach, and who executed it.
“As much as possible, we want to make this event our burden, not yours” Premera President and CEO Jeff Roe said in a statement.
With more and more major companies falling victim to cybersecurity breaches, it’s also left state Legislatures struggling to keep up, and Washington is no exception. Lawmakers are considering a raft of bills this year devoted to cybersecurity and introduced by Rep. Zack Hudgins, D-Tukwila. He worked in concert with the Attorney General’s Office on the single biggest piece of legislation, HB 1078, which would put mandatory disclosure requirements on Washington companies victimized by data breaches.
They would have a 45-day window to offer that disclosure to the Attorney General’s Office, and it’s worth noting that Premera was at the tail end of that time frame on Tuesday. The bill was amended to extend that window out from a 30-day period, but the Premera case demonstrates the drawbacks even a month for disclosure can have, considering the breach happened a full eight months prior.
Hudgins’ bill has passed the House and will be heard before the Senate Law and Justice Committee on Thursday morning, where committee chair Sen. Mike Padden, R-Spokane, said the attention devoted to Premera may add to lawmakers’ intent in getting legislation passed this session.
“It shows how important it is to really everybody,” Padden said of the breach. “We’re trying to stay a little ahead of the curve when we can.”
Hudgins’ has a number of other bills still alive, including HB 1469, which requires state government agencies to begin handing payment data to third parties with higher encryption standards by 2018. That passed the House 98-0 and moves over to the Senate.
HB 1561 makes security discussions involving information technology open to the state’s open meetings act, while HB 1470 would set up a panel of experts to study cybersecurity issues.
Two other bills died: HB 1466 and HB 1468, which would have put higher data encryption standards for some information kept on state government databases, and allowed the governor to declare a state of emergency because of a cybersecurity breach.
All the bills deal with two laws governing the issue, one focusing on state agencies and the other on businesses and individuals. But neither has been updated since 2005.
The slow-moving gears of the legislative process means legislators are constantly playing catch up, and Padden said, with the disclosure legislation coming up in committee, it may be time to look at amending the legislation to stiffen penalties under the consumer protection act if companies don’t comply.
“We may look at this, in light of Premera, to try and beef up some of the penalties,” Padden said. “It’s just another example of why we need to take this stuff so seriously.”
Your support matters.
Public service journalism is important today as ever. If you get something from our coverage, please consider making a donation to support our work. Thanks for reading our stuff.