Premera Blue Cross hacker victims claim insurer trashed server to hide data-slurp clues

Cover-up – or just admins following usual upgrade cycle?

Health-insurance biz Premera Blue Cross has been accused of deliberately knackering one of its computers to cover up details of a cyber-break-in. The organization denies any wrongdoing.

The allegation was leveled last week against Premera, and is the latest twist in a long-running class-action lawsuit filed by the insurer's customers against the business.

It all relates to the 2014-2015 network intrusion at the US health insurer. The biz realized in January 2015 it had been hacked, eight months after miscreants first broke into its systems in May 2014.

The hackers potentially accessed the personal data of up to 11 million people, as well as information on Premera's workers, partners, and healthcare providers and other business associates. That information may have included names, dates of birth, bank account details, email and home addresses, phone numbers, and Social Security numbers of people who had either taken out or applied for health insurance. Details of claims and some medical information may also have been available to the intruders.

Premera Blue Cross said in March 2015 that it was unclear whether or not sensitive and personal data had been siphoned off from its systems, a position it still maintains – and one that the plaintiffs' lawsuit seeks to challenge. In short, they want to prove information was swiped from Premera's network.

This is why you do security audits

Following the discovery of security vulnerabilities in Premera's systems by auditors at the US Office of Personnel Management in April 2014, the insurer drafted in experts from FireEye Mandiant in October that year to shore up its network. Mandiant's eggheads discovered the well-hidden intrusion months later in January 2015 before subsequently identifying 35 infected computers.

The plaintiffs in the lawsuit claim they have only been able to produce forensic images “for 34 of those 35 computers; the 35th computer had been destroyed.”

According to court documents filed in an Oregon district court at the end of August this year, data on the missing computer is critical to understanding what happened during the hack – because it was, apparently, a system with admin access to the network and was infected by malware that acted as a fulcrum of the whole attack.

“The 35th computer, called [redacted] was a ‘developer’ computer – loaded with robust software and afforded security clearance to Premera’s most sensitive databases,” the filing claimed.

“Mandiant found that [redacted] contained a unique piece of hacker-created malware that Mandiant called PHOTO. Mandiant found PHOTO only on [redacted]. PHOTO malware had the capability to upload and download files, and to exfiltrate data. Hackers accessed PHOTO on [redacted] between May 12, 2014 and February 2015," the lawsuit states.

"The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network."

The 35th element

That 35th computer allegedly contained evidence proving that the hackers used customized malware to download sensitive data. This system was apparently marked as an “end-of-life” asset in 2016 by Premera’s IT team and destroyed.


Premera healthcare: US govt security audit gave hacked biz thumbs up


The plaintiffs alleged the machine was deliberately ruined to hide evidence that hackers siphoned off sensitive information, a key plank in their claims for damages: after all, they want the jury in the case to "presume that exfiltration occurred," as ZDnet noted this week.

It was further claimed the destroyed computer's hard drive contained archives created by hackers to exfiltrate that data, along with other evidence. The lawsuit paperwork also alleged that Premera Blue Cross wiped vital access logs.

In a statement, Premera Blue Cross denied the allegations, adding that it would contest the action.

Steve Kipp, veep of corporate communications, said: "We are aware of the motion for sanctions that was recently filed by the plaintiffs in the class action arising from the 2015 cyberattack at Premera. It is the type of motion that is not uncommon in complex litigation involving voluminous physical and documentary evidence, and represents just one of many disputes that can arise during the discovery phase of a lawsuit.

"We disagree with the motion and do not believe the facts justify the relief plaintiffs have requested. Our attorneys will be filing a response in due course." ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022