Premera Blue Cross victims accuse insurer of deliberately destroying hacking evidence

A class-action lawsuit against a hacked health insurer is claiming that a crucial computer was wilfully destroyed, erasing critical evidence that could prove the severity of the security breach.

What’s not in dispute is that in March 2015 health insurance company Premera Blue Cross admitted it had fallen victim to hackers who had managed to gain access to the personal information of as many as 11 million people.

Private data exposed in the “sophisticated” attack included the names, dates of birth, email addresses, postal addresses, phone numbers, bank account details, and Social Security numbers of members and insurance applicants.

In addition, details of claims and medical information lodged with the health insurance company were also thought to have been compromised during the attack which was not discovered until January 2015, but was thought to have started as far back as May the previous year.

It was a bad time for US health industry and its members, after a spate of attacks which saw different insurers such as Anthem and CareFirst hacked.

The cost of some of these breaches to the firms concerned was considerable with Anthem, for instance, forced to establish a record $115 million fund for individuals affected.

However, as ZDNet reports, evidence that data was successfully exfiltrated in the Premera Blue Cross incident may be hard to come by.

Security firm Mandiant, brought in by Premera Blue Cross to investigate the incident, identified 35 of the computers as infected, and “discovered fragments of RAR files, which are created by compression software commonly used by hackers to shrink files to a manageable size before exfiltration.”

However, the lawsuit’s plaintiffs are claiming thate Premera Blue Cross has only been able to produce forensic images “for 34 of those 35 computers; the 35th computer had been destroyed.”

According to court documents, the forensic experts believed that 35th computer to be a critical part of the hack:

“The 35th computer, called A23567-D, was a ‘developer’ computer – loaded with robust software and afforded security clearance to Premera’s most sensitive databases.”

“Mandiant found that A23567-D contained a unique piece of hacker-created malware that Mandiant called PHOTO. Mandiant found PHOTO only on A23567-D. PHOTO malware had the capability to upload and download files, and to exfiltrate data. Hackers accessed PHOTO on A23567-D between May 12, 2014 and February 2015.

That 35th computer is suspected to contain critical evidence proving that the hackers used the PHOTO malware to upload sensitive data to a third-party server under their control.

But Premera’s IT team destroyed the computer in question, marked as an “end-of-life” asset, on December 16, 2016.

If the plaintiffs get their way the judge overseeing the case will instruct the jury to assume that exfiltration occurred, a blow to Premera Blue Cross who could argue that damages were not incurred by the hackers if nothing was actually stolen.

We’ll have to wait and see who wins this legal argument, but there is a salutary lesson for all IT teams here. In the wake of a security breach, be careful not to destroy any evidence. You never know when it might come in useful – whether to help identify who might have attacked you, what the hackers may or may not have done, and indeed whether or not your company might have to spend million compensating the victims.

Leave a Reply