A motion has been filed on behalf of the plaintiffs in a class action lawsuit against Premera Blue Cross insurance. Filed on August 30, 2018, in the US District Court in Portland, Oregon, the motion alleges that the company failed to preserve evidence of potential data exfiltration in a security incident that occurred in March 2015.
According to the motion, “Plaintiffs move for sanctions against Defendant Premera for discovery misconduct. By willfully destroying: (a) a computer that the hackers used in the data breach and which may have held evidence of data exfiltration; and (b) data loss prevention software logs that may have shown evidence of data exfiltration, Premera spoliated key evidence and prejudiced Plaintiffs’ ability to achieve a rightful decision in this case.”
Because key evidence was reportedly destroyed, the motion also asked that the judge instruct jurors to presume exfiltration occurred; however, Premera has maintained that the security incident did not result in a data breach and that there was no exfiltration.
Evidence of whether there was any exfiltration has been confused by the multiple reports throughout the investigation. Plaintiffs initially understood that forensic evidence confirmed a data breach, but when they requested evidence, key information was missing.
“In particular, Plaintiffs asked Premera for two categories of evidence: (1) files contained on the hard drives of computers compromised by the hackers; and (2) log files from Premera’s various types of data security software – both of which can show evidence of exfiltration and both of which Premera destroyed well after Plaintiffs filed their complaints.”
In the aftermath of the March 2015 incident, Madiant, a FireEye company, had conducted the initial forensic investigation of all 35 computers involved. However, when the plaintiffs requested the forensic images to conduct their own investigation, Premera only provided evidence from 34 computers, claiming that the 35th computer had been destroyed.
The motion contends that Mandiant had indeed found evidence of exfiltration in an unusual RAR file, software commonly used by hackers to compress files. The 35th computer was reportedly a developer computer.