Attorneys representing the plaintiffs in a federal class-action data breach lawsuit filed against Premera Blue Cross have entered a motion for sanctions against the health insurance organization for allegedly destroying key evidence in the case with willful intent.
Filed on Aug. 30 in U.S. District Court in Portland, Ore., the motion claims Premera ordered the spoliation of a key computer hard drive, as well as data loss prevention log files, that many have contained proof that customers’ sensitive personal data was exfiltrated by hackers. The plaintiffs have alleged that Premera either knew or should have known that the destroyed equipment and records could have held key information that the defense would want to review to solidify its case.
The breach, which was traced back to a May 2014 attack, affected roughly 11 million Premera Blue Cross members and applicants whose data was stored on the Mountlake Terrance, Wash.-based company’s IT systems. Victims responded to the incident with a series of class-action lawsuits, which were later consolidated.
To remedy the alleged misconduct, the plaintiffs have requested that the Court instruct the jury to presume that data exfiltration did occur during the breach incident. The plaintiffs’ lawyers have also asked for an order forbidding Premera’s third-party cyber analyst firm Mandiant from providing any testimony that hinges on its experts’ analysis of the evidence prior to its destruction. And finally, they are seeking an order to prevent Premera from turning in any additional evidence related to the destroyed computer and logs.
Premera’s defense rests on the argument that the plaintiffs cannot demonstrate any actual monetary damages because there is no actual evidence of hackers exfiltrating their data from the company’s systems. But the plaintiffs’ attorneys say in their motion that any such evidence was deliberately and permanently lost when Premera destroyed a special “developer” computer that was “loaded with robust software and afforded security clearance to Premera’s most sensitive databases.”
According to the filing, experts from Mandiant found a malware program capable of data exfiltration — referred to as “PHOTO” — on this one and only computer in Premera’s system. While 34 other affected computers were sequestered by Premera for investigation, this lone exception was instead designated end-of-life and ordered destroyed.
“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” the motion states.
Meanwhile, the logs Premera allegedly also discarded were from a data loss prevention software program. According to the plaintiffs, Premera admitted during the formal discovery process that it no longer possesses the DLP logs from the time of the breach, even though such records could have contained evidence of customer information leaving the company’s systems.
The decision to destroy the developer computer and the DLP logs came “well after Plaintiffs filed their complaints,” the motion continues. SC Media reached out to Premera and its attorney for comment.
“We are aware of the motion for sanctions that was recently filed by the plaintiffs in the class action arising from the 2015 cyberattack at Premera,” said Steve Kipp, VP of corporate communications at Premera, in response to an inquiry from SC Media. “It is the type of motion that is not uncommon in complex litigation involving voluminous physical and documentary evidence, and represents just one of many disputes that can arise during the discovery phase of a lawsuit. We disagree with the motion and do not believe the facts justify the relief plaintiffs have requested. Our attorneys will be filing a response in due course.”