DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Feds warned Premera about security flaws before breach

Posted on March 18, 2015 by Dissent

Mike Baker reports:

Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate.

Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings April 18 last year, according to federal records.

Read more on Seattle Times.

I’m waiting for someone to discuss whether if OCR had been more actively auditing covered entities, the Anthem and Premera breaches would have occurred.

Category: HackHealth DataOf NoteU.S.

Post navigation

← Senators blast Anthem for ‘unacceptable’ response after data breach
Target Poised to Pay $10M to Data Breach Victims in Proposed Settlement →

2 thoughts on “Feds warned Premera about security flaws before breach”

  1. IA Eng says:
    March 19, 2015 at 8:05 am

    It boils down to the technique the hackers actually used to get into the system.

    I work in Information Assurance (IA) and Network Security. I don’t know what these security individuals do all day long at their offices. Three weeks is not a long time at all to try and correct any issues with devices that are on “live networks”. Most you cannot simply make a few changes, reboot and see if they took correctly.

    Of course, this doesn’t excuse them for ignoring the security issues in the first place.

    The IT shop, or someone in IA should perform regular vulnerability scans for issues concerning patches. It becomes a bit of a mess when your looking for vulnerabilities when scanning against SQL style attacks and avenues. Some of these attacks can be quite aggressive and may take down parts of the network. Sure all vulnerability scanning can be planned and not performed during peak hours. If staff is clueless on how to perform these actions, a 3rd party auditor can come in and perform the scans. Most scan results should provide steps for mitigation or correcting any issues. Also, Google is a power search tool for finding ways to correct any issues – as long as you use reliable sources.

    As far as any Auditing agencies involved, I do not know how many different entities total, have to be checked. There are many huge, big and small health care businesses out there. All are probably subject to the same basic compliance testing, and all probably go through some sort of certification. The problem is, schedules are always changing, Audits taking longer, entities were rescheduled or otherwise.
    So in a nutshell, if there is a skeletal compliance schedule out there, its probably riddled with holes. Understaffed and potentially undermanned, it tries to rely on 3rd party scans and the “good word of the corporation” that all is well. Many of the “O’s” probably do not realize when they lose a key player who used to keep the compliance up to snuff. They leave, responsibilities shift and some eventually fall through the cracks.

    Every dreads audits, they are painful. Though the information is out there, some of the paperwork they use is simply poorly worded and the reasoning why the setting needs to be accomplished should simply be left blank. The reasons are cut and pasted from other online documents and make no sense what so ever. Add in the fact of a staff thats probably underpaid, over worked and stressed. A person in that scenario will probably pick the paperwork up, get through a few steps before the BS meter gets pegged and the book is dropped. Time passes, new issues arise and old ones get noticed by outside entities.

    If patch management and software management is not in place and done on a regular basis, this is a big deal. It shows lack of due care and due diligence. If they consider information they are storing on these servers “private” they would be keeping up on what is used and what is not. Any antiquated software should have been removed, or worse case, take the entire server off the network or put protections in place (whitelist/blacklists) to keep unauthorized personnel from even seeing it. Again, if they don’t give a crap about the computers and data around them, they sure as hell don’t care about the customer’s data as well, no matter what hype they come up with in the end.

    The bottom line is, the companies that crow “we take the privacy of your information seriously” are only doing so after the fact.After a breach, leak, insider threat or otherwise, they are under the microscope and have to shift their lives out of the social sites and into work once more. Attention to detail has gone to hell in a hand basket over the last 5-10 years. There are some organizations that are still doing it right, and they too may be at risk, due to a simple password reuse by an employee who has elevated rights.

  2. JJ says:
    March 19, 2015 at 3:57 pm

    The best part of the report was “Nothing came to our attention to indicate that Premera does not have an adequate security program.”

    Here’s one: You found several serious weaknesses. Duh.And that was before they got hacked. That was as priceless a statement as Heartland Payment Systems getting hacked in the middle of their PCI assessment and them passing their assessment as compliant.

    Paperwork being in order never stopped a breach. If a federal regulator finds something, you can rest assured that reality is ten times or a hundred times worse.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.