Health insurer Premera Blue Cross said Tuesday it was hit by a cyberattack that could affect 11 million people.
Hackers may have accessed names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers, member ID numbers, bank account information, and clinical information of members and applicants, the insurer said.
Members of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions, along with members of other Blue Cross Blue Shield plans who sought treatment in Alaska or Washington, may have also been impacted, Premera said.
The company said in a release it discovered the breach on Jan. 29, more than eight months after hackers gained access to its systems.
Washington state's insurance commissioner, Mike Kreidler, said in a statement that more than 6 million customers in the state were affected. "I'm concerned that while Premera learned of this attack in January, it took approximately six weeks to notify my office," he said.
Premera spokesman Eric Earling said the company coordinated with the FBI after learning of the breach, and was advised to wait until it had secured its systems before informing those whose information might have been compromised.
"They know from past experience" that hackers might have used their access, and put people at greater risk, if they knew the company was working to secure its information, Earling said.
Those that hacked into Premera's systems have all they need to "get loans, commit tax fraud, medical identity theft, child identity theft (assuming children were part of the covered community), synthetic identity theft and criminal identity theft," Adam Levin, chairman and co-founder of Credit.com, said in an email.
"Depending upon what clinical information they got, they have an opportunity to commit blackmail and extortion," added Levin, the former director of the New Jersey Division of Consumer Affairs. "Premera customers will be forced to look over their shoulders for the rest of their lives."
Premera, which began emailing notifications Tuesday, said it will offer those affected two years of credit monitoring and identity theft protection services. The company stressed it would not email members about the breach, and that members should beware of email "phishing" attacks.
Premera members should use the services being offered by the company, and check bank and credit card accounts daily, along with treating any email or phone calls claiming to offer protection services, as it could be an attempt to garner additional information, Levin advised.
"Make sure to file your tax return ASAP to front-run the possibility that a fraudster might be trying to file using your Social Security number, name and date of birth," Levin added.
The FBI, which praised the company for quickly notifying it of the breach, said in a statement that it is working with Premera to determine "the nature and scope of this incident." The agency advised those contacted by Premera to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at ic3.gov."
Members can contact the insurer at 1-800-768-5817 and get updates at premeraupdate.com.
Last month, health insurer Anthem disclosed a breach affecting about 80 million customers, and companies including Target, Home Depot and Sony Pictures Entertainment have disclosed data breaches in recent months.