04
Feb 15

Data Breach at Health Insurer Anthem Could Impact Millions

Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. Given the company’s size, this breach could end up impacting tens of millions of Americans.

anthemAnthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”

The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.

“We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication,” Anthem said in question and answer page released about the breach.

Formerly known as Wellpoint Inc., Anthem said in a statement that the company was the target of a “very sophisticated external cyber attack” that exposed names, dates of birth, member ID/ Social Security numbers, addresses, phone numbers, email addresses and employment information. The company stressed that the exposed data did not include medical records or financial information.

According to Athem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.

Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

More on this story as it develops. Stay tuned.

Tags: ,

158 comments

  1. What I would do with Anthem Data if I were a bad guy:
    1. identify all minors, pre credit worthiness age.
    2. create synthetic identities using their SSN’s utilizing “seasoned tradelines” <-look it up if you don't know what that is..
    3. do what bad guys do (open credit/bust out/etc
    This data has high cash value.

    What I would advise to parents:
    Freeze your children's credit. Yes it costs a few bucks.
    The government needs to make credit freezes easier and free.

    • Given the timing, this is prime season for tax scams. The extracted data included social, income, and probably dependents… given how screwed up the IRS is I’m going to file as quickly as possible.

    • I agree with Houston. I am adding my kids to my monthly credit monitoring and will be getting their credit frozen. It upsets me that I have to spend so much $ to do this, but what choice do I have?

  2. I have worked with a number of insurers, both in and out of the health field. All of my clients encrypt all data in the database, most put the database behind an internal firewall, and a few encrypt data in transit through their internal network. Now obviously content of the database needs to be decrypted to process it, but this should be done on a record by record basis, and auditing systems should be logging all access and detecting any unusual activity against the database. We’ll never find out, but I suspect that Anthem did none of these things. They apparently do for PHI content, because they claim that none of it was compromised. So they have the technology, but they didn’t use it. Based on other comments, they apparently use Teradata and Oracle. Both have full data encryption capability.

    • If they had encrypted PII in databases behind their firewall, if I obtain authentication credentials the game is over. I’ll be able to access the plaintext data remotely.

      Encryption of data on enterprise class systems in data centers is great if you want to ensure that nobody can walk out the door with a server and get at the data. Otherwise it’s not providing much incremental protection.

      • IF you obtain authentication credentials, but this not a user password, it is hopefully internal credentials that are well protected. That plus audit controls can stop data theft before it gets very far. If all accesses are logged, 80 million requests would really stand out.

        • Excellent points. Security is not any one thing, but a complex of both passive and active measures. By controlling access with encryption, the decryption process becomes a point at which monitoring for patterns indicative of unauthorized access can occur. Anthem is certainly remiss if it did not apply such approaches. And the fact that financial data which affects its own interests more directly *was* protected shows the clear near for legislation that makes insurers liable for unauthorized access to customers’ data.

    • First to put a freeze you have to file a police report if you can get them to even take one. You need some form of activity on the social security # they won’t let you be proactive. I tried for medical fraud someone in another state used my id. I was sent to the state the person used my id. That state sent me back to my state. No one ever took a report.
      If you search out there you will find a CA atty. has already got a law suit going against Athem. They say this happened a while ago & Anthem never told anyone and they did not encrypt their files is how it happened. I am still try to see what is true and how to be proactive before someone uses my id but I keep running into walls and have only been able to put a 90 day alert on my SS#. Good luck to all. It is costly and time consuming if you have your id used. Anthem will probably never be responsible for any of this.

  3. ‘Anthem said in a statement that the company was the target of a “very sophisticated external cyber attack” ‘

    Oh so you’ve finished the “extensive IT forensic investigation”?
    Post the report, and then we’ll judge if this really was “very sophisticated”

  4. What do you think of the reasoning in this WaPo story? http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/05/why-hackers-are-targeting-the-medical-sector/?hpid=z18

    Why shouldn’t the government be penalizing these health care entities for HIPAA breaches for failing to protect customer/patient information? And if the HIPAA act doesn’t yet cover lax data security, it should be amended so it does, with real teeth.

  5. I’m potentially one of the hacked.

    Even before now, everybody and their cat already knew my name, ssn, date of birth, place of birth, mother’s maiden name, name of my first pet, street address where I grew up, first telephone number, name of my high school mascot …, and a few dozen other things. Henceforth, everybody and their Russian cousin’s cat will have that on an easy to access database.

    I only can hope that from this day forward, nobody is stupid enough to think that knowledge of social security number is proof of identity. It’s not the “stealing my personal information” that’s the problem, it’s the illusion that bad guys don’t know it that’s the problem.

  6. HIPPA, PCI, FFIEC, NERC, etc. are NOT security frameworks. <—– This is the problem folks.

  7. My take on what the work day today is like at Anthem: https://www.youtube.com/watch?v=z5rRZdiu1UE

    And On Feb. 4, the same day that Anthem disclosed a breach it also posted a help wanted ad for a “Cloud Encryption Security Professional.” I’m going to send my resume in under the name Lloyd Christmas – I’ll be hired by Monday.

    Seriously everyone lock your credit at the three credit agencies and get a pin number from the IRS so nobody can file taxes on your behalf.

  8. I agree with Paladium. I was at a dentist office and noticed that they had all there wkst(s) on the same network as the complimentary wifi service offered to patients. Imagine this was a doctors office connected to a HIE.

  9. Can I assume that with a breach like this, that the CIO (Chief Information Officer) and the CISO (Chief Information Security Officer) may start to be worried about the security of their job an may in fact be spening time polishing their resumes and not focusing on properaly responding to this? Or have I breathed too much diesel fumes during my 40 mile bicycle ride today?

  10. Types of legit access: 1) OLTP one policy or person at a time. 2) Data Warehouse statistical (percent of x by zip code, etc). These points of entry can be restricted from the next types and are of no value to a commercial hacker. They are of value to a hacker who wants to target one politician or ex-partner or similar revenge.

    3) Partial list. There is sometimes a need to access all data for a certain provider or all data for a certain employer’s employees. It has value to re-seller hacker..but limited value. Data at rest and data in movement systems can be designed to keep the scope limited as well as to limit access and encrypt the data.

    4) Mass data movement to disaster recovery or fail-over system. In most shops more attention needs to be given to security for this than currently exists.

    5) Cloud. A topic to new and broad to cover in one sentence…except “Do a lot of homework”.

    6) ETL. In antique systems Analytic and Transactional processes were not compatible in the same environment. But with modern systems (that not all vendors have) Analytic and Transactional should be on the same platform with security inherently and seamlessly integrated into the platform…and not an add-on product. The movement of data is minimized. When it is moved it never goes outside the security inherent in the platform.

    Since the important analytic processes (including fraud and hack detection) are needed in real transactional time, the antique culture of a data warehouse separate from the transactional system needs to be updated.

  11. Aren’t we forgetting that a well-planned attack can disable or otherwise modify auditing systems? If you’re a hacker, go after the IPS first, IDS second, and data last.