Premera Blue Cross Destroyed Key Evidence of Cybersecurity Breach


There is a new development in the legal case that the Premera Blue Cross data breach 2015 victims filed. As per the victims, Premera Blue Cross intentionally ruined the proof showing the data theft.

Premera Blue Cross experienced a cyberattack in 2015 that led to the access or theft of 11 million plan members’ protected health information (PHI) by the attackers. This security breach was the second biggest incident reported by a healthcare provider following Anthem Inc.’s 78.8 million-record security breach that also took place in 2015.

Premera Blue Cross found out the security breach in January 2015, however the investigation showed that the attackers got access to its system in May 2014. The plan members’ protected health information (PHI) and personally identifiable information (PII) were possibly accessed by the hackers for 8 months prior to the breach was discovered and data access was blocked.

Taking into consideration the enormity of the breach, breach victims submitted a number of class action lawsuits. However the lawsuits were combined into just one class action lawsuit. The Premera Blue Cross lawsuit is not yet settled. Actually, it is probable that the judgment will be even more slowed down. The plaintiffs claimed that Premera Blue Cross ruined important information that might have aided in deciding the lawsuit.

Mandiant is the third-party computer forensics company that is looking into the data breach. Mandiant discovered that 35 Premera computers were jeopardized in the cyberattack, and the hackers possibly utilized those computers to gain access to 11 million plan members’ records.

Though there was no definite proof discovered to verify that information was exfiltrated, Mandiant discovered a few RAR files on one compromised computer. RAR files are files that the hackers might have utilized to transmit information rapidly. If there were RAR files made by the hackers, it indicates that RAR files were utilized to exfiltrate information and then wiped them out to hide their tracks.

The plaintiffs sought to have all the proof such as photos and hard disk drives that Mandiant discovered in the course of the investigation. But, Premera claimed that just the photos of the 34 out of the 35 computers are readily available since one computer, which is known as document A23567-D inside the court, was ruined on December 16, 2016, about one year following the beginning of the court action.

A23567-D is supposed to be the sole proof that could verify the extraction of data. That was the only computer that has a malware known as PHOTO that could carry out registry alteration, program execution and downloading and uploading of files. The hackers corresponded with that computer daily from July 2014 until January 2015 when Premera found out the cyberattack and stopped remote access.

It appeared that the computer was dispatched for disposal by mistake. Premera considered that the computer was no longer usable. The dilemma for the victims is they lost a crucial proof of data stealing, and without the proof the lawsuit is impossible to be successful. Premera sustains a ‘no harm, no foul’ defense, contending that the plaintiff could not assert they caused harm to the plaintiff except if they could show that sensitive data was extracted from Premera’s computer system.

The disposal of the computer, whether intentionally or not, is remarkably injuring to the lawsuit. The victims submitted a motion in the U.S. District Court in Portland saying that it is not possible to confirm that the hackers took plaintiffs’ PII and PHI from the computer system without having access to that hard disk drive.

In addition, the motion states that Premera Blue Cross was unable to maintain data loss logs with its Bluecoat Data Loss Prevention (DLP) system, which probably could have verified that plan members’ information were compromised. It is supposed that those data files were additionally erased after the filing of the case.

Premera Blue Cross provided a declaration to verify its disagreement with the plaintiffs’ request and motion. Premera’s attorneys will file the response to the motion by September 28, 2018.

In case the motion is approved, a federal judge could then tell a jury that major proof was messed up and that they ought to consider that data extraction had happened. Premera by then could not call in computer specialists to state that there was no data extracted.

A positive ruling is not an assurance of success nor a settlement deal. For damages to be settled, victims of the lawsuit still should verify that they indeed had been through losses due to the security breach.