Medical Data Exposed As Another Blue Cross Insurer Succumbs to Hackers

Healthcare and Public Health // United States

A computer intrusion at Premera Blue Cross might have compromised health and financial information on 11 million customers.

This seems to be the largest known breach involving patient medical information. 

Beginning May 2014, the attackers accessed claims data including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data.

The infiltration was uncovered on Jan. 29, the day that Anthem, a separate Blue Cross Blue Shield insurer, disclosed a hack involving non-medical, personal records of some 79 million BCBS members nationwide.  

Premera says the two attacks are not related and that the company independently identified its breach.

However, investigative blogger Brian Krebs writes that there are indications one Chinese espionage group is behind both hacks.

The group, interchangeably called “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew,” began carving into Anthem in late April 2014, according to evidence that hints Premera was also a target.

The red flags revolve around an Internet address, which researchers have tied to Deep Panda activities, that was used to host a site called (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).

Security firm ThreatConnect Inc. linked that Wellpoint look-alike domain to a series of tailored attacks launched in May 2014 that apparently were designed to trick Wellpoint employees into downloading malicious software.

Last month, ThreatConnect published more information tying the same actors to a domain called “” (notice the use of the double “n” there to mimic the letter “m”).

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect researchers wrote in a blog post three weeks ago.