Insurance commissioner investigating Premera breach (King5)
SEATTLE — One week after Premera revealed a security breech that impacted millions of customers, the Washington State Insurance Commissioner announced Tuesday he’s investigating the attack.
Mike Kreidler not only wants to know how it happened, but what took so long to tell customers.
The Insurance Commissioner’s Office learned about the Premera security breach the same day the public did, last Tuesday.
“It was six weeks after they made the discovery. That’s inexcusable,” said Kreidler.
Kreidler says as the state regulator, his office had a right to be informed of what he calls a huge intrusion. Eleven million people had their most private information exposed, six million in Washington state alone.
Premera says the initial attack happened last May. The company discovered it in January, and they had good reason to hold off on going public.
“We were advised that these type of cyber attackers will engage in even more malicious activity if you make an announcement before you secure IT systems,” said Eric Earling, vice president of Premera corporate communications.
“That doesn’t carry any weight with me,” Kreidler said. “I understand what they’re concerned about. But notifying us, we have all kinds of confidential information we deal with here through this office, this is not an exception.”
An even larger insurer, Anthem, which is also a Blue Cross Blue Shield licensee, suffered a similar attack this year. As many as 80 million customers may have had their information stolen. Customers responded by filing lawsuits in several states.
Premera says it has no evidence any data left its system, but it doesn’t mean the information wasn’t accessed.
The company is offering two years of free credit monitoring and identity theft protection services to its customers. Earling says 88,000 people have signed up so far.
Washington State Attorney General Bob Ferguson says when it comes to notification, time is of the essence.
“There is actually not a deadline for anyone like Premera or anyone else who has had a data breach in which they must notify consumers or the AG’s office,” said Ferguson.
He’s proposing legislation requiring companies to inform customers within 45 days of a breach. For Premera customers, more than 300 days passed before they were notified.