Premera Blue Cross was warned to fix security holes weeks before it was breached.
The Washington-based health insurance company announced on Tuesday that information on about 11 million members and applicants may have been compromised after unauthorized access was gained to its IT systems in an attack that began on May 5, 2014.
More than two weeks prior, on April 18, 2014, Premera received an audit report and was advised – in 10 recommendations – to address vulnerabilities that could be exploited by attackers to compromise sensitive data.
Eric Earling, a Premera spokesperson, told SCMagazine.com in a Thursday email correspondence that the audit was routine, and was carried out by the Office of Personnel Management (OPM) as part of Premera's participation in the Federal Employee Health Benefits Program.
“I think it's important to note that OPM's routine audit found no concerns with Premera's security management or compliance with HIPAA security standards,” Earling said.
Premera worked with OPM to address questions raised in the report, Earling explained, going on to add, “[Premera believes that] the questions OPM raised in their routine audit are separate from the sophisticated cyberattack targeted at us.”
Premera did disagree with a few recommendations in the report, including one related to critical security patches and another involving routine disaster recovery testing. Additionally, Premera indicated that some recommendations would not be appropriately addressed until later on in 2014.
“For our part, we at Premera are focused on addressing this issue with enhanced IT security and providing those affected by this attack the assistance they need moving forward,” Earling said, adding that Mandiant was tapped to cleanse IT systems of the infection, as well as to aid in the investigation.