Health insurer Premera Blue Cross said on Tuesday it was a victim of a cyber attack that may have exposed medical data and financial information of 11 million customers in the latest case of a health care company reporting a serious breach.
It said the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014 and was uncovered Jan. 29.
It is the largest breach reported to date involving patient medical information, according to Dave Kennedy, an expert in health care security who is chief executive of TrustedSEC.
Breaches over the past year at health insurer Anthem and hospital operator Community Health Systems involved a larger number of records, but those companies said they believe the attackers did not access medical information.
Medical records are highly valuable on underground criminal exchanges where stolen data is sold because the information is not only highly confidential, it can also be used to engage in insurance fraud.
“Medical records paint a really personal picture of somebody’s life and medical procedures,” Kennedy said. “They allow you to perpetrate really in-depth medical fraud.”
The insurer said it has so far uncovered no evidence to show that member data was “used inappropriately.”
The attack affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions.
“We at Premera take this issue seriously and sincerely regret the concern it may cause,” Chief Executive Jeff Roe said in a statement.
Premera has set up a hot line to field members’ calls and is offering free credit monitoring. More information is available at www.premeraupdate.com.
“As much as possible, we want to make this event our burden, not that of the affected individuals,” Rowe said in the statement.
Premera is working with the FBI and FireEye to investigate the matter.
(Reporting by Jim Finkle; Editing by Dan Grebler)
This article originally appeared on Recode.net.