Published on December 14th, 2019 📆 | 2132 Views ⚑
0Minnesota Blue Cross scrambles to boost cyberdefenses
Blue Cross Blue Shield of Minnesota is working rapidly to shore up its cybersecurity defenses after an internal whistleblower raised alarm that the stateâs largest health insurer had long neglected thousands of important updates.
Internal documents show that Minnesota Blue Cross allowed 200,000 vulnerabilities classified as âcriticalâ or âsevereâ to linger for years on its computer systems, despite stark warnings to executives. Software patches were available to fix most of the weak points.
The top cybersecurity executive at Minnesota Blue Cross says the insurer has been working diligently in recent weeks to bring the number of security vulnerabilities as low as possible by yearâs end.
âWe certainly understand that our members expect us to protect their most sensitive data, and we want them to know that we are committed every single day to doing just that,â Minnesota Blue Cross Chief Information Security Officer Amy Eklund said in an e-mailed statement.
Minnesota Blue Cross insures 2.8 million people, including about 1 million outside Minnesota, and brings in $6.7 billion in annual revenue. Its computer systems contain membersâ demographic information, medical billing codes and financial records â prized data for identity thieves and other cybercriminals.
Pam Dixon, executive director of the World Privacy Forum, a consumer-rights group, said an insurer harboring many thousands of vulnerabilities on its computers is enough to make an IT expert âbreak out in a cold sweat.â
âThe speed and the level of sophistication at which the attackers are operating today is extraordinary,â Dixon said. âIt is a foolish person who is running security at a large-scale organization with a lot of PHI, personal health information, without absolutely up-to-date, pristinely managed technology.â
Minnesota Blue Cross has never reported a data breach of its own systems. In 2015 the personal data of 11,000 members of Minnesotaâs Supervalu Group Health Plan were breached after Minnesota Blue Cross stored their information on vulnerable computers owned by another Blue Cross licensee, now called Anthem Inc.
Attackers have breached more health care records across the country in 2019, 40.8 million so far, than in the previous three years combined. Most exploit weaknesses that could have been repaired with available software patches, but werenât.
At Minnesota Blue Cross, documents obtained by the Star Tribune show that cybersecurity engineer Tom Yardic met with executives as early as August 2018 to raise alarm that important patches werenât getting done. On Sept. 16 Yardic e-mailed the board of trustees in what the e-mail describes as a last-ditch effort to push for change.
âI am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,â Yardic wrote to the trustees and CEO Dr. Craig Samitt. Although the seriousness of the situation had been acknowledged in meetings going back over a year, Yardic wrote, âwhat has not happened is a serious attempt to remedy the situation.â
Scans of the Minnesota Blue Cross network show the number of software vulnerabilities classified as critical or severe peaked at around 200,000 inside roughly 2,000 important computers called servers, according to records obtained by the Star Tribune and confirmed by the insurer. At least 89,000 of those vulnerabilities were more than three years old as of the end of last year, and some 24,000 dated to 2010 or earlier.
There were an additional 2 million vulnerabilities on Minnesota Blue Crossâ 6,000 employee workstations, in part because IT staff had deployed thousands of machines that contained hundreds of unpatched vulnerabilities apiece, Blue Cross documents show.
In some cases, the same security flaw may be counted hundreds of times because itâs on hundreds of machines.
Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities. But a spokesman said the current totals are lower â much lower in the case of workstations.
Eklund declined to reveal exactly where the âmanaged volumeâ of vulnerabilities stands today. Responding to written questions, she also said it would be âmisleadingâ to suggest that the raw number of vulnerabilities provides a full picture of overall risk.
âProtecting our membersâ information is our top priority, and our efforts are ongoing,â Minnesota Blue Cross officials said via e-mail. âAs with all companies holding sensitive information, we remain vigilant in our security systems and testing, but we will always strive to do more.â
Patching is important
There are many ways to protect vulnerable computers connected to the internet, and Minnesota Blue Cross uses many of them. But cybersecurity consultants and engineers say itâs unusual to avoid the most basic step, which is to regularly install software patches, especially critical ones.
âI donât know of anyone who would say that patching isnât important,â said Ryan Elmer, a Minneapolis-based technology risk manager at accounting and consulting firm Boulay. âItâs like a dentist telling you not to brush your teeth.â
A software patch is a piece of computer code that rewrites part of an older program to fix a security vulnerability or improve performance. Since new vulnerabilities are constantly discovered, installing patches is an ongoing job at large companies. Last year companies took an average 34 days to install the most serious ones, classified âcriticalâ patches, and 38 days for less-severe patches, according to an analysis by cybersecurity firm Rapid7.
Unpatched computers can be vulnerable to âransomwareâ attacks, in which a hacker turns an organizationâs information into gibberish until the victim pays a ransom. Unpatched systems can also leak sensitive data to the dark web, by allowing identity thieves to create fake user accounts on a network and export sensitive data. Attacks may compromise a single employeeâs workstation or can spread âlaterallyâ across an entire network, even reaching into servers containing massive databases.
Such risks are not abstract â Blue Cross affiliates in California and Idaho reported breaches of health data just this year.
The largest-ever health data breach happened at the Blues plan in Indiana now known as Anthem Inc. Forensic analysis concluded that an attacker penetrated Anthemâs network through a âphishingâ e-mail to an employee in Virginia, causing the loss of nearly 79 million Anthem health records over an 11-month period in 2014 and 2015. The second-worst U.S. health breach, of 11 million records from Premera Blue Cross in Washington, also hit in 2015. A federal audit found the insurer had failed to fix known problems, including not installing software patches.
In September, Yardic told trustees that Minnesota Blue Cross risked something similar.
âToday we have approximately 2,000 servers containing confidential information that are missing a large number of critical security updates, many for several years,â he wrote. âLike Premera Blue Cross, who was recently penalized for not protecting member data, we have not âinstalled software updates and security patches on a timely basisâ or in many cases, at all.â
Larry Ponemon, who founded independent IT research firm the Ponemon Institute 17 years ago, said many companies donât patch vulnerabilities because the work is time-consuming and often complex. Patches must be tested to make sure they donât create new problems. Installing new software may require taking important computers offline.
âIt takes a lot of effort. So companies just donât patch,â Ponemon said. âIt happens all the time.â
Yet most data breaches are preventable with patches. In a survey of 2,900 IT professionals by Ponemon Institute last year, 60% of respondents said the data breaches at their companies could have happened because of a known vulnerability for which the patch was not installed.
Blues plans nationally are licensed by the Blue Cross Blue Shield Association, which says it maintains a broad security program requiring its members to meet âcybersecurity related standards and policies.â The national association didnât release the specific requirements, including any requirements for handling security-related patches.
U.S. Sen. Mark Warner, D-Va., a tech investor who co-founded the Senate Cybersecurity Caucus in 2016, said many health care organizations struggle to balance patient care with the need to invest in cyber-preparedness activities.
âHealth organizations should work to minimize vulnerabilities by keeping software up to date, constantly scanning for weaknesses across their entire IT infrastructure, and patching vulnerabilities as soon as they are detected,â Warner said in a statement to the Star Tribune.
A push from the top
Insurers such as Minnesota Blue Cross are covered by the federal health care privacy law known as HIPAA, which requires covered entities to âidentify and protect against reasonably anticipated threatsâ to the security or integrity of patientsâ electronic health information.
The law does not require organizations to install every software patch. However, it does require HIPAA-covered organizations to mitigate risks from unpatched vulnerabilities, either by installing the patch or establishing other compensating controls, like restricting network access or disabling network services that could be exploited remotely, federal officials said last year.
Minnesota Blue Cross officials say their servers undergo rigorous âpenetration testingâ on a quarterly basis, and the companyâs network is protected by many layers of security to prevent and detect intrusions.
âWe have invested heavily in our security program, which comprises both prevention and detection capabilities,â a company statement said. âThese capabilities are supported by advanced detection [tools], third party testing, and 24/7 monitoring.â
Minnesota Blue Cross switched to a new vulnerability scanning tool last year for its server network. Blue Cross documents show that during the rollout, the implementation consultant noted, âsomething might be wrong, these numbers seem really highâ as he was looking at the volume of vulnerabilities.
Yardicâs Sept. 16 e-mail to Minnesota Blue Crossâ trustees said the company was failing to take reasonable steps to protect its membersâ information, because of what he saw as âa long-standing cultural indifference to computer and network security.â
âIt will take a sustained push from the top to permanently change this culture,â he wrote.
Three months later, Eklund, the top IT security officer at Minnesota Blue Cross, said in her statement that the insurer had a strong focus on its volume of vulnerabilities:
âThrough ongoing focus, collaborative efforts and opportunity afforded by migration and upgrade projects, our managed volume continues to decrease and should be considerably reduced by the end of the year.â
var rSkunkConfig = {"enforcement":true,"countViews":{"guests":true,"loggedIn":true,"subscribers":true},"unmetered":{"sectionPaths":["/bios","/contactus","/help","/offers","/lifestyle/kids-health","/video","/employees/benefits","/obituaries","/jobs/topworkplaces"],"contentIds":["509847411","509848031","482552141","476040393","476040393","401897905","425373843","415781003","150460817983","415693713","436316953","450623913","450625343","450625693","450626083","450626583","437687453","437687753","437688303","437689683","457733433","457733503","457733463","457733493","436740613","447378683","445108753","443065933","443995433","444238433","423913703","25373843","458348643","465767963","465254943","464643883","461549583","458022893","457739213","467925683","462160283","461536853","459432053","458940033","453678863","452142423","450626813","450626193","450626083","450625443","450624983","449833993","447193403","446218753","443287373","442502253","441039553","434692633","433894613","432007273","427690133","425990133","421479323","420760943","420536403","419496503","419098944","415888474","415824304","415816963","415401364","412715643","411587345","388264102","378131721","334111481","268952601","257505631","218991591","227829611","231193891","115289839","296766441","296743831","217991401","137705393","11603211","241138711","11601086","238868691","216063751","137104018","251069101","218991591","506817361"],"referrers":{"regex":"","exclude":false},"userAgent":"strib-mobile-app-webview"},"storageKey":"rskunk_platypus","baseURL":"https://users.startribune.com","embedURL":"https://users.startribune.com/embed/mainapp.build.js?c=ddea53e6fc5de3aa044b7152b11070794d8ae6ec","embedAssets":["https://users.startribune.com/embed/third-party/growl.css","https://users.startribune.com/embed/third-party/colorbox.css"],"placementName":"www.startribune.com","loginRedirect":"https://www.startribune.com/login?passive=true&path=","logoutRedirect":"https://www.startribune.com/logout?path=","dataExpiration":{"type":"thirtyDays","month":1,"day":1,"hour":0,"min":0,"sec":0},"topTier":{"id":"metersports-desktop-574","count":15},"tiers":[{"id":"metersports-desktop-574","count":15,"action":"ignore","mute":false,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/metersports-desktop-574/start"},{"id":"metersports-desktop-565","count":14,"action":"ignore","mute":false,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/metersports-desktop-565/start"},{"id":"limit-signup-optimizely","count":13,"action":"ignore","mute":true,"action_config":{"template":"{% extends "grid" %}rn rn{% block heading_text %}Youu2019ve read your free articles for this 30 day period. Sign up now for local coverage you wonu2019t find anywhere else, special sections and your favorite columnists. StarTribune puts Minnesota and the world right at your fingertips. {% endblock %}rn rn{% block last %}rn{{ parent() }}rn{# limit Krux pixel from https://www.squishlist.com/strib/customshop/328/ #}rnrnrn//Load jQuery library using plain JavaScriptrn(function(){rn var newscript = document.createElement('script');rn newscript.type = 'text/javascript';rn newscript.async = true;rn newscript.src = 'https://code.jquery.com/jquery-3.1.0.min.js';rn (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(newscript);rnvar newscript2 = document.createElement('script');rn newscript2.type = 'text/javascript';rn newscript2.async = true;rn newscript2.src = 'https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.1.3/js.cookie.min.js';rn (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(newscript2);rn})();rn/********TEST CODE for METER SNOW PLOW ANALYTiCS*******************/rnvar meter = {};rn$(document).ready(function(){rn // console.log("this loads well");rn $('.js-optimizely-click-goal').click(function(){rn // console.log(this);rn meter['type'] = $("input[name='offer']").val();rn if(meter['type'] = 131){meter['type'] = "Premium Digital Access";}rn else if(meter['type'] = 130){meter['type'] = "Sunday Print + Digital";}rn else if(meter['type'] = 129){meter['type'] = "7-Day Print + Digital";}rn else if(meter['type'] = 128){meter['type'] = "Sunday Print";}rn meter['date'] = new Date().toLocaleString();rn // console.log(meter['type']);rn // console.log(meter['date']);rn var json_meter_cookie = JSON.stringify(meter);rn Cookies.set('meter_sign_up', json_meter_cookie); rn rn });rn});rn/************************************************************************/rn // FACEBOOK TRACKING PIXEL #1rn !function(f,b,e,v,n,t,s)rn {if(f.fbq)return;n=f.fbq=function(){n.callMethod?rn n.callMethod.apply(n,arguments):n.queue.push(arguments)};rn if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';rn n.queue=[];t=b.createElement(e);t.async=!0;rn t.src=v;s=b.getElementsByTagName(e)[0];rn s.parentNode.insertBefore(t,s)}(window,document,'script',rn 'https://connect.facebook.net/en_US/fbevents.js');rn fbq('init', '590074241155998'); rn fbq('track', 'ViewContent');rn rnrn{% endblock %}"},"start":"https://users.startribune.com/placement/1/environment/3/limit-signup-optimizely/start"},{"id":"limit-signup","count":12,"action":"ignore","mute":true,"action_config":{"template":"{% extends "grid" %}rnrn{% block heading_text %}Youu2019ve read your 10 free articles for this 30 day period. Sign up now for local coverage you wonu2019t find anywhere else, special sections and your favorite columnists. StarTribune puts Minnesota and the world right at your fingertips. {% endblock %}rnrn{% block last %}rn{{ parent() }}rn{# limit Krux pixel from https://www.squishlist.com/strib/customshop/328/ #}rnrnrn//Load jQuery library using plain JavaScriptrn(function(){rn var newscript = document.createElement('script');rn newscript.type = 'text/javascript';rn newscript.async = true;rn newscript.src = 'https://code.jquery.com/jquery-3.1.0.min.js';rn (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(newscript);rnvar newscript2 = document.createElement('script');rn newscript2.type = 'text/javascript';rn newscript2.async = true;rn newscript2.src = 'https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.1.3/js.cookie.min.js';rn (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(newscript2);rn})();rn/********TEST CODE for METER SNOW PLOW ANALYTiCS*******************/rnvar meter = {};rn$(document).ready(function(){rn // console.log("this loads well");rn $('.js-optimizely-click-goal').click(function(){rn // console.log(this);rn meter['type'] = $("input[name='offer']").val();rn if(meter['type'] = 131){meter['type'] = "Premium Digital Access";}rn else if(meter['type'] = 130){meter['type'] = "Sunday Print + Digital";}rn else if(meter['type'] = 129){meter['type'] = "7-Day Print + Digital";}rn else if(meter['type'] = 128){meter['type'] = "Sunday Print";}rn meter['date'] = new Date().toLocaleString();rn // console.log(meter['type']);rn // console.log(meter['date']);rn var json_meter_cookie = JSON.stringify(meter);rn Cookies.set('meter_sign_up', json_meter_cookie); rnrn });rn});rn/************************************************************************/rn // FACEBOOK TRACKING PIXEL #1rn !function(f,b,e,v,n,t,s)rn {if(f.fbq)return;n=f.fbq=function(){n.callMethod?rn n.callMethod.apply(n,arguments):n.queue.push(arguments)};rn if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';rn n.queue=[];t=b.createElement(e);t.async=!0;rn t.src=v;s=b.getElementsByTagName(e)[0];rn s.parentNode.insertBefore(t,s)}(window,document,'script',rn 'https://connect.facebook.net/en_US/fbevents.js');rn fbq('init', '590074241155998'); rn fbq('track', 'ViewContent');rnrnrn{% endblock %}"},"start":"https://users.startribune.com/placement/1/environment/3/limit-signup/start"},{"id":"meter-desktop-331","count":10,"action":"ignore","mute":false,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/meter-desktop-331/start"},{"id":"PDA991499opt","count":9,"action":"ignore","mute":true,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/PDA991499opt/start"},{"id":"limit","count":8,"action":"inject","mute":false,"action_config":{"template":"rn.o-overlay,rn.o-overlay * {rn display: block;rn box-sizing: border-box;rn}rnrn.o-overlay {rn position: fixed;rn top: 0;rn left: 0;rn width: 100%;rn height: 100%;rn font-size:14px;rn background: rgba(0, 0, 0, 0.8);rn z-index: 999999;rn opacity:1;rn transition:all .01s;rn}rn.o-overlay h1 {rn font-family:popular-bold, 'Popular';rn font-size:28px;rn}rnrn.o-modal {rn width: 100%;rn max-height: 100vh;rn overflow: auto;rn position: absolute;rn top: 50%;rn left: 0;rn -webkit-transform: translateY(-50%);rn transform: translateY(-50%);rn}rn.o-modal-middle {rn padding:5px 5px;rn position:relative;rn background:#F6E463;rn text-align:center;rn border-top:1px solid rgb(246, 228, 99);rn -webkit-box-shadow:0px 0px 0px rgba(0,0,0,0);rn box-shadow:0px 0px 0px rgba(0,0,0,0);rn}rn.o-modal-inner {rn background: #ffffff;rn margin: 0 auto;rn width: 100%;rn max-width: 600px;rn position: relative;rn}rnrn.o-button {rn display: inline-block;rn font: bold 18px/1 Whitney, sans-serif;rn margin: 0;rn padding: 0;rn border: none;rn text-decoration: none;rn color: #fff;rn background: #00824A;rn padding: 15px 20px;rn border-radius: 4px;rn border: 2px solid rgba(0, 0, 0, 0.1);rn -webkit-transition: all .1s;rn transition: all .1s;rn cursor: pointer;rn text-shadow: 0 1px rgba(0, 0, 0, 0.2);rn}rn.o-button:hover {rn text-decoration: none;rn color: #fff;rn border-color: transparent;rn background: #00824A;rn opacity:0.9;rn}rn.o-cta {rntfont:bold 38px/1 Whitney, sans-serif;rntcolor:#00824A;rntpadding:5px 0px;rntdisplay:block;rnttext-align:center;rntoverflow:hidden;rntcursor:defaultrn}rn.o-block {rn text-align: center;rn font-family:'Whitney',sans-serif;rn}rn.o-block img {rn width: 150px;rn height: auto;rn display: block;rn margin: 0 auto 10px;rn}rn.o-block .text-left {rn text-align:left;rn}rn.o-block.pad {rn padding: 10px;rn}rn.o-block.pad-top {rn padding-top: 30px;rn}rn.o-block.pad-right {rn padding-right: 30px;rn}rn.o-block.pad-bottom {rn padding-bottom: 30px;rn}rn.o-block.pad-left {rn padding-left: 30px;rn}rn.o-block.shadow-out {rn box-shadow: 0 0 7px 0 rgba(0, 0, 0, 0);rn}rn.o-block.shadow-in {rn box-shadow: inset 0 0 7px 0 rgba(0, 0, 0, 0);rn}rnrn.o-small {rn color: #010101;rn font: italic normal 13px/1 Whitney, sans-serif;rn margin: 10px 0;rn}rn.o-small:first-child {rn margin-top: 0;rn}rn.o-small:last-child {rn margin-bottom: 0;rn}rn.o-small.left {rn text-align: left;rn}rnrn.o-small a {rn display: inline-block;rn color: inherit;rn text-decoration: underline;rn}rn.o-small a:hover {rn color: black;rn text-decoration: underline;rn}rnrn.o-bg-green {rn background:#86cff2;rn color:#ffffff;rn}rnrn.o-info {rn display:inline-block;rn position:absolute;rn bottom:20px;rn right:20px;rn overflow:visible;rn z-index:1;rn}rn.o-info:hover {rn padding-left:2em;rn padding-top:2em;rn}rn.o-info:hover div {rn display:block;rn}rn.o-info button {rn width:1.5em;rn height:1.5em;rn border-radius:100%;rn font-weight:bold;rn line-height:1.5em;rn padding:0;rn margin:0;rn border:0;rn text-align:center;rn font-size:1em;rn tbackground:#F6E463;rn}rn.o-info div {rn background:#F5F5F5;rn position:absolute;rn right:1.5em;rn bottom:1.5em;rn box-shadow:0 0 10px rgba(0,0,0,.5);rn padding:20px;rn font-size:12px;rn line-height:1.3;rn display:none;rn width:300px;rn border-radius:7px 7px 0 7pxrn}rn.o-info div a {rn text-decoration:underline;rn color:#005776;rn}rn }rnrnrnrnt$('body, html').css('overflow', 'hidden');rnrnrn
rn"},"start":"https://users.startribune.com/placement/1/environment/3/limit/start"},{"id":"nag","count":7,"action":"lightbox","mute":true,"action_config":{"height":null,"width":"630px","redirect_on_close":null,"template":"{% extends "shell" %}rnrn{% block substyles %}rnrn .nag {rn padding:0;rn }rn .nag-inner {rn padding:0 20px 50px;rn }rn .nag img {rn width:auto;rn margin:0 auto;rn }rn .nag h1 {rn margin-top:-20px;rn text-transform:uppercase;rn color:#61bf1a;rn text-align:center;rn font:normal 26px/1 'Popular bold', serif;rn }rn .nag h2 {rn font:bold 28px/1 'Benton Sans', sans-serif;rn font-style:italic;rn text-align:center;rn }rn .nag-status {rn text-align:left;rn background:#f5f5f5 url("{{ static_url('img-icon-warning.png') }}") 12px 10px no-repeat;rn padding:12px 35px 10px;rn margin-bottom:65px;rn }rn .nag-status p {rn display:inline-block;rn margin-bottom:0;rn font:normal 14px/1 'Benton Sans', sans-serif;rn font-style:italic;rn }rn .nag-status p:first-child {rn color:#ff8200;rn font-weight:bold;rn }rn .nag-status p:last-child {rn color:#ccc;rn float:right;rn }rn .nag-status .btn-link {rn color:#61bf1a;rn }rn .nag-divider {rn border-top:1px solid #e7e7e7;rn text-align:center;rn width:100%;rn max-width:500px;rn margin:40px auto 20px;rn }rn .nag-logo {rn display:inline-block;rn background:#fff;rn padding:10px;rn margin-top:-24px;rn }rn .nag-btn {rn display:block;rn font-size:24px;rn padding:20px;rn border-radius:5px;rn margin:20px auto 0;rn }rn .log-in {rn margin:-40px auto 30px;rn max-width:400px;rn }rnrn{% endblock %}rnrn{% block page %}rn{#rnrn{{ limit - count - 1 }}rnrn{{ form.flow_form_open({nextAction: 'firstSlide'}, null, null, '_top') }}rn {{ form.btn('Save Now') }}rn{{ form.flow_form_close() }}rnrn
rnrnrnu2022 rnrnrnrn#}rn
You have {{ limit - count - 1 }} articles left
rn
rn rn u00a0u00a0u2022u00a0u00a0rn rn
rn
rn
rn rn
Over 70% off!
rn
rn
rn
99u00a2 for first 4 weeks
rn {{ form.flow_form_open({nextAction: 'firstSlide'}, null, null, '_top') }}rn {{ form.button('Save Now', 'btn nag-btn') }}rn {{ form.flow_form_close() }}rn
rn
rn{% endblock %}rnrn{% block last %}rn{{ parent() }}rnrn $('.log-in-toggle').click(function(){rn $('.log-in').toggle();rn $('#login_email_address').focus();rn mtr_utils.resize();rn });rn $(document).ready(function(){rn setInterval(function(){rn mtr_utils.resize();rn }, 5000);rn });rnrn{% endblock %}"},"start":"https://users.startribune.com/placement/1/environment/3/nag/start"},{"id":"x","count":4,"action":"ignore","mute":true,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/x/start"},{"id":"multi-start","count":3,"action":"fly_in","mute":true,"action_config":{"location":"bottom_left","slide_direction":"bottom","group_id":null,"display_delay":"0","collapse_delay":"10","template":"rn.fly-in-group,rn.fly-in-group *,rn.fly-in-group *:before,rn.fly-in-group *:after {rn box-sizing:border-box;rn -moz-box-sizing:border-box;rn -webkit-box-sizing:border-box;rn box-sizing:border-box;rn -webkit-text-size-adjust:none;rn margin:0;rn padding:0;rn}rn.fly-in-group {rn position:relative;rn width:300px;rn background:#484848;rn box-shadow:0 0 10px rgba(0,0,0,.3);rn}rn.fly-in-header {rn width:300px;rn height:70px;rn}rn.fly-in-collapse {rn background:#333333 url("https://users.startribune.com/static/flow_group/14/slide/1531/1624710778/img-nag-savemoretoday.gif") center center no-repeat;rn width:300px;rn height:70px;rn cursor:pointer;rn}rn.fly-in-close {rn position:absolute;rn top:0;rn right:0;rn height:20px;rn width:20px;rn display:block;rn color:#FFF;rn font-size:20px;rn line-height:1;rn text-decoration:none;rn cursor:pointer;rn text-align:center;rn}rn.fly-in-close:hover {rn color:#E0E0E0;rn}rn.fly-in-body {rn text-align:center;rn}rn.fly-in-body p {rn color:white;rn font:bold 14px/1 'Benton Sans', sans-serif;rn text-transform:uppercase;rn margin:30px 0 7px 0;rn text-align:center;rn font-style:italic;rn}rn.fly-in-body h2 {rn color:#fff;rn font:bold 25px/1 'Benton Sans', sans-serif;rn text-align:center;rn font-style:italic;rn}rn.fly-in-body h2 span {rn color: #A4A4A4;rn text-decoration:line-through;rn}rn.fly-in-start-btn {rn color:white;rn background:#61bf1a;rn font-family:"Benton Sans",Helvetica,Arial,sans-serif;rn font-weight:bold;rn line-height:1;rn text-decoration:none;rn text-transform:uppercase;rn border:none;rn -webkit-appearance:none;rn cursor:pointer;rn padding:15px 0 12px;rn display:block;rn margin:10px auto 30px;rn width:130px;rn border-radius:5px;rn font-size:16px;rn}rn.fly-in-footer {rn background:#333 url("https://users.startribune.com/static/flow_group/14/slide/1533/2757847127/img-logo-st-sm-darkgrey.png") center center no-repeat;rn height:35px;rn}rnrn
"},"start":"https://users.startribune.com/placement/1/environment/3/multi-start/start"}]};
Gloss