04
Feb 15

Data Breach at Health Insurer Anthem Could Impact Millions

Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. Given the company’s size, this breach could end up impacting tens of millions of Americans.

anthemAnthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”

The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.

“We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication,” Anthem said in question and answer page released about the breach.

Formerly known as Wellpoint Inc., Anthem said in a statement that the company was the target of a “very sophisticated external cyber attack” that exposed names, dates of birth, member ID/ Social Security numbers, addresses, phone numbers, email addresses and employment information. The company stressed that the exposed data did not include medical records or financial information.

According to Athem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.

Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

More on this story as it develops. Stay tuned.

Tags: ,

158 comments

  1. Thank you, Brian. Your research and blog provide a true public service when it comes to the truth about all of these data breaches.

  2. Thank you, Brian, for your excellent reporting!

  3. This is the kind of information sharing that the Government is dreaming about and hopes industry will actively create without legislative requirement. All details about breaches and tactics of successful attack are enormously helpful in fortifying defenses from small businesses to global enterprises. KrebsonSecurity continues to raise the bar in information sharing. Kudos and thanks.

    • This isn’t the info sharing I’m looking for – I’d prefer to share how they were breached, for how long and any insight into who it might be. The target breach with data outbound via FTP was extremely helpful – watch your outbound data points people – size, time and frequency…

      Awesome job Brian.

  4. Anthem, as I recall, was the same company that was pressuring its customer to embrace the Cal Index database. I opted out, but I’m wondering if it ever really mattered.

  5. Anonymous Coward

    One presumes that *former* Anthem members who are impacted need not expect to be notified.

    • From the letter Anthem just emailed out and put on the homepage of a new site http://www.AnthemFacts.com, it looks like they will be notifying and offering protections to former as well as current members:

      “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind. We have created a dedicated website – AnthemFacts.com – where members can access information such as frequent questions and answers. As we learn more, we will continually update this website and share that information with you. We have also established a dedicated toll-free number that both current and former members can call if they have questions related to this incident. That number is: 1-877-263-7995.”

    • I have moved three times in the five years since I last had Anthem insurance, so I’m wondering how hard they’ll try to find me. And I must say I’m not too keen on giving them my new info, but perhaps I should.

      UGH.

      • Same here. I would like to see them open up a toll-free # to verify with callers whether their information was compromised or not.

        • Never mind…I see that they did.

          • The toll free number as of today (Feb 5) is currently only an audio recording of their public statement with an option at the end to contact a customer service agent. I did that and found the agent unprepared to answer the question of how a former customer whose contact information has changed can expect to be contacted. To her credit, the agent did escalate my question, so hopefully they will contact me with a response.

            • Question Mark, please chime in here if you hear from them! I was confusing two of my insurers, so it’s actually been 9 years and 5 moves since I was an Anthem customer. I’m probably still screwed.

    • From the AnthemFacts.com website:

      “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge…..”

    • So true! Once a customer, always a customer…. in their database. They’ll have a hard enough time informing current customers, let alone the millions who have passed through their electronic portals. We will be left hanging, I’m sure.

  6. Even more bad news, if this is true then it’s not good for a lot of people.

  7. Interestingly, the report i was reading parallelly (Websense® Security Labs™: 8 Security Predictions for 2015) also lists Health Care data continuing to be a prime target in 2015. Good reporting, thanks Brian!

  8. Get I.D. protection! !

    • I.D. Protection product don’t work. All they do is notify you that there has been a change to your credit report. They do not protect anything.

      The only way to properly “protect” your identity is to put a freeze on all your credit reports, and you can do that yourself with out any ridiculous monthly fees.

      Ask any of those I.D. protection services how they will help you once your I.D. is stolen and used, and you will find that none of them “help” you. There is no money in doing any I.D. theft recovery.

      • Most of the Companies that sell ID protection to Companies who have been breached (for the “victims” of the breach) now offer recovery and some amount of damage insurance as part of their services. It’s a probability thing. The number of people who will be insured for the one year period (the usual limit to the free offer) is huge compared to the very few people who actually have damages from their information being used, even if it’s expensive for those few people.

        If you get a letter, read the contract and the fine print carefully.

      • I’ve been a member of lifelock since 2011, & I recently upgraded to the top of their line security, no problems so far knock on wood 🙂

  9. It is the clean SSN of children in the database having been taken that is most disturbing and probably what is going to come back as a huge issue with this breach and will end up biting a lot of people even years down the road – a child’s credit report is clean, a blank slate for a criminal – and criminals know no one typically checks for identity theft on a child’s SSN . . . but also it will be a burden in fraudulent returns that will have already claimed the child and their SSN as a dependent on a fraudulent tax return. This is a HUGE issue if your child is enrolled with one of these carriers (and mine is).

  10. Robert Scroggins

    Once again, a “very sophisticated” attack.” They always start by mentioning that, don’t they? I guess they think that takes away some of their responsibility!

    Regards,

  11. The Anthem Facts site is a bit interesting. The name was registered in early December using GoDaddy. The site itself is hosted on Amazon, most likely to handle the large traffic hit. The pages, all 2 of them, are static.

    While this attack is very real, and they are taking steps to inform their customers and employees, 2 things come to mind:

    1). Based upon the domain registration date, did it take 6 weeks to notify their customers etc.

    2). Anyone can register a domain using Go Daddy, and setup a site on AWS. Use links that you know are legitimate, ,because there will be malicious copycats popping up in the next few HOURS.

    And I will bet that we find out this “sophisticated attack” was started via a spearphishing email.

    Anthem’s IT is heavily outsourced to offshore companies, most of their Application SME knowledge is now in the hands of offshore third parties.

    • You read my mind completely. 😉

    • I thought they mentioned a detection date of 1/29? But what I really wanted to say is that planning and setup for this kind of thing should be done well in advance of a real incident anyway. It can take months just to get a contract in place with one of those ID protection firms, for example.

    • Registered Dec 13. Various news sites are reporting that the breach started Dec 10. Very suspicious timing when Blue Shield is claiming they only found out on Jan 27.

      What are the laws surrounding breach disclosure timing? Are they lying to ensure they meet the law?

  12. Another breach… More clear text data stolen,presumably.

    Time assume breach and encrypt all data at rest, the moment it’s hits a platter.

    Why is this such a hard pill to swallow for really well resourced IT teams? Standing up a PKI with offline CA is hard work in a small environment, but it can be done. Why can’t well resourced teams do it?

  13. As one who spent several years setting up the SAP security systems at major banks, government, oil companies, etc. I can tell you that this was most likely NO RANDOM or OUTSIDE HACK….In 99% of the attempted or discovered hacks we found that someone on the inside of the firewalls / account-file security left an “internet facing” server open and the hackers exploited this opening. I do not know who or why they did this but I would advise investigators to look closely at people with IT and HR access to personal information on customers or employees. Those persons who might have personal issues i.e. drugs, debts, problems with bosses, etc. should be throughly investigated as to any thing in their personal life that might make them need money or other reason. The people in HR should be held accountable for not having a program in place to continually evaluate or scrutinize persons with access to HR records…..everyone employed there who works in IT and in HR’s should have all their bank records for the last year or so be seized and examined…..

    • Are you just talking out of your ass or what Barry? For a man who has so much insight into the info sec world, you sound like an entry level fraud investigator.

  14. The email I received from Anthem lists financial information as part of the breach.

    “These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

    • I think they meant banking information.

      • Personal information is banking information. A patient that paid cash still trusted the doctor’s office with his/her personal information, which is all the hackers need to apply for credit or falsify a tax return.

        Hackers and IS will burn in the same hell.

  15. What legal options do we have to recover damages? For all the work I need to now do to address this matter free credit monitoring doesn’t cut it. Why is it that as customers of these healthcare forms I feel more like a slave to these firms? At what point does being a citizen of the US and paying taxes earn me the right to be less than a lackey of a bank or health care insurer.

    • I’m not a lawyer, but before you start talking about recovering damages, you have to prove a loss. Then it would probably be affected by what Anthem did or didn’t do, were they negligent or not, not in compliance with regulations, etc. Somethings, stuff just happens.

      • The only way they can extract this data is if it wasn’t encrypted. Every customer has now been exposed due to negligence in this way.

        • That’s not true. If they accessed the system doing the actuall processing, or the system that provided the support interface (for their call centers), then, by need and by design, that information is not going to be encrytped. Even if the system included a custom application on the desktop to decode the information if it was encrytped until being displayed on the desktop, there was probably nothing to prevent the attackers from launching a copy under their control.

        • Keep in mind, HIPAA does not require that we encrypt our internal databases provided we can demonstrate safeguards in place (infrastructure or third party) that mitigate or prevent unauthorized access and can make a business use case for why the database can’t be encrypted (e.g. vendor software requirements).

          Anthem’s culpability under HIPAA will not be known until after OCR swoops in and does the audit, which will almost certainly happen. Also, the only reason Anthem is telling anybody about the breach is because notification is also required under HIPAA; no doubt they would have kept it quiet for much longer if they could.

    • I agree the company has some liability, but let’s not forget the real criminal here is the hackers. The same low-class group of people who targeted Aldi customers a few years back – the poorest of the poor.

      Hackers and IS are the same.

  16. Oh, and a technology question:
    When I read through HIPPA and HITECH it seemed pretty clear that all reportedly stolen such as social security number etc must be deindentified to qualify for safe harbor. If the data was cleartext what does this mean in terms of HIPPA and HITECH? What is the liability for Anthem?

  17. Hi,

    Do you know if we can sue the company over this for damages?

    • What damages?
      You haven’t realized any damages (yet, if ever).

      So no, there’s no basis for a lawsuit.

  18. bizzyunderscore

    These cheesedick assholes get owned across every LOB then have the GALL to suggest that they know who the “affected customers” are. What a joke. And now, if I don’t give them their cut of my paycheck, I’m the one breaking federal law. What a fucking sad joke. On us! Ha ha ha!

  19. 40% of fraudulent tax returns pay off and the IRS will be one of the first areas they could hit. IRS has a problem in the fact all you need is a social security number and you can use the name Jane Doe and again there’s a 40% chance it pays off. Even Eric Holder has had returns filed on his social security number. 60 minutes video at the link below explains, and it’s not even high tech at all.

    http://ducknetweb.blogspot.com/2014/09/one-more-reason-to-license-data.html

    When your data is repackaged you will never find the origin and these folks could be wanting to get into that part of the business, we don’t know.

    If all data sellers had licenses, that license would accompany every data transaction sale or connected data link so we know it’s legal. So just like counterfeit drugs the hackers who are smart will work and query this data and innocent companies, just like what happens with counterfeit drugs, will be buying this stolen data, not knowing it’s been hacked.

    http://www.youcaring.com/medical-fundraiser/help-preserve-our-privacy-/258776

    Again we don’t know who the hackers are and what their intent is but with the data selling epidemic in the US right now it certainly spurs the hackers on. It’s a $180 billion dollar a year business, selling personal data so with this much who knows. Every US bank has a lab in the Silicon Valley, they want those apps and web sites to mine and sell some data.

    • Very interesting. What I find astounding is that the IRS and DHS are both facing furloughs, even as we have entered the tax season.

      • Diane Trefethen

        If you want government services, do not vote for candidates who thump their chests about how they are going to cut government spending.

  20. My issue is when was the hack? Why did I receive an email and my spouse on the policy did not? I am not the primary either. So I was hacked and my spouses was not? How could an effin insurance company get hacked? I also don’t care that Joe blow president, CEO or whatever supposedly had his info hacked to. Your apology means nothing to me. You are just trying to smooth things over and it is not working. IT investigation will be useless.

  21. Anthem does a lot of IT outsourcing and may be in transition to new vendors. I am curious if this is in any way related. Transitions like these have got to be very complex and any missteps along the way could easily lead to a security breach.

    $500 million dollar deal with IBM announced in January.
    http://www.icto-news.com/anthem-teams-ibm-strengthen-operational-performance/

    Also a new $200 million dollar outsourcing to HCL Technologies was rumored to be signed in early January as well.
    http://www.theoutsourceblog.com/2015/01/wipro-wins-450m-deal-from-abb/

  22. Rumor has it that the breach originated at an outsourced data center in Asia. I’m wondering if this will begin a trend of in sourcing health data from counties that don’t respect or understand the concept of privacy? I wonder if this lead to legislation or a new best practice of keeping health data in US data centers? If I was one of anthem’s competitors I would ve looking at how to repatriate American’s data.

  23. Anthem — you can’t even protect your member information? How stupid you are to be hacked. Why didn’t you take some of the millions (billions?) of dollars you take from your members and invest in security? Dumb ass company.

  24. >>”We continue working to identify the members who are impacted. We will begin to mail letters to impacted members in the coming weeks.”

    Wonderful. They’re relying on snail mail and it may take weeks before people learn whether their own data was exposed.

    Why not use email (much quicker), and why wait to offer protection (hopefully from a strong vendor)? The “coming weeks” are when people will be most vulnerable.

    FWIW, I’m a current Anthem customer, and while the UI for their website has been very good, the system performance has consistently been horrid. And now we know it’s not just response time that sucked…

  25. I like how they have crafted their message to downplay the risk to everyone affected. The President of Anthem says even he was affected. Is this supposed to make me feel better? It’s an effort to try to minimize the gravity of the situaiion.

    They are making a point of saying no medical or credit card data was spilled. This is far worse. Whoever exfiltrated huge amounts of this data has fulz which can lead to very easy theft of your ID.

    As someone in data security I really have to question how they did not detect this amount of data going out the door. Their processes are terribly flawed and their detection systems were worthless. They really need to be held accountable. There is ownership from the C-suite and the Board of Directors on down including legal, privacy, IT and risk.

  26. Consumer Advocates

    Class action attorneys are indeed investigating prospective claims/damages on behalf of affected consumers. If you are a customer of any of the following: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink or DeCare, call (855) 4-CLASS-LAW (425-2775).

    • I don’t think you’re going to get many calls from people who read this website, people who are smart enough not to contact some random phone number and give it info. That said, I hope Brian deletes this phone number.

    • I used two search engines to look up that telephone number given, and both had very few results, and none of the results gave a business name and address.

      One result was in a forum that had a section dedicated to Radio Shack.

      Brian, you’ve got spam for a fake lawyer.

  27. So if the data is stored offshore, is it really covered by US HIPPA Laws?

  28. You all have to realize that the investigation has been going on for months before disclosure to the public. In many instances, the public is never notified. I’ve worked on more than one breach for publicly traded companies where the companies NEVER disclosed in filings as per SEC regulations.

  29. Brian: Love the blog. I work in the healthcare industry. You know the Hipaa regs regarding breaches of protected health information, of which Anthem has LOTS on its servers, are onerous. If Hipaa protected info was breached they would not want anyone to know. Are they lying about this?

  30. I’m very interested to understand “how” it was hacked, i.e, method (spearfishing, software/hardware flaw, id/password, web-based malware, etc.)