February 4, 2015

Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. Given the company’s size, this breach could end up impacting tens of millions of Americans.

anthemAnthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”

The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.

“We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication,” Anthem said in question and answer page released about the breach.

Formerly known as Wellpoint Inc., Anthem said in a statement that the company was the target of a “very sophisticated external cyber attack” that exposed names, dates of birth, member ID/ Social Security numbers, addresses, phone numbers, email addresses and employment information. The company stressed that the exposed data did not include medical records or financial information.

According to Athem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.

Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

More on this story as it develops. Stay tuned.


158 thoughts on “Data Breach at Health Insurer Anthem Could Impact Millions

  1. Mitchell Roosey

    Given that everyone seems to use Oracle Databases, it seems the hackers have become very adept at hacking the Oracle Relational Database.

    1. Kevin

      By sheer number, there are more small to mid-sized companies using Microsoft SQL Server. This is mostly due to huge cost of Oracle. So, most companies running Oracle are large companies, which most would assume are better at security than a small company. However, the amount of data to steal is the motive, therefore a aarge target means big pay off, which means hacking an Oracle based company.

    2. peter

      Everybody seems to use Oracle? No – Many in industry use others including MS SQL and IBM DB2 for enterprise level data management. Besides its not the database schemma or its repository that is the fault, its the communication and access control that is the weak link.

  2. E.M.H.

    Well, this Anthem breach is just in time! My free credit protection account from the Target breach was just about to expire.

    :-/

    1. Andrew Rossetti

      LOL! This made me nearly spit out my morning soda!

    2. C/od

      E.M.H. By -golly you have a sense of good humor.
      Keep it up!!!
      Oh FYI: Flash has another update

    3. E.M.H.

      Well guys, it’s either laugh or cry, right? 😉

      Thanks for the sentiments. 😀

  3. Saunt Orolo

    Anthem? More like anathem. If ever there was a case to be made for allowing the Ita to be Thrown Back …

    1. Enoch Root

      Glad I’m not the only Neal Stephenson fan.

      Will be interesting to see if this is truly a “sophisticated attack”. That’s a default moniker for what often ends up being a very banal, unsophisticated attack against poor defenses.

      1. jaded

        What is “extremely sophisticated” to one company’s security team is “banal and unsophisticated” only to an observer who saw this attack somewhere else a few months earlier.

        Unfortunately, not every company’s security staff is filled with Sherlock Holmes clones; and they can’t be. When companies hire someone into security, they have them working at security tasks, like implementing policies, checking firewall logs, etc. These people lose some of the outside perspective they had when they entered the company, and keeping up with the latest attacks is full-time work when the field of security is so broad. It’s hard to do it all.

        Yes, I’m defending their security teams, because I bet they took their jobs very seriously, they still got hacked, and are now feeling punched in the gut. It’s a crappy situation for all.

        1. E.M.H.

          Fully agree with this. You can only prioritize based on what you know, and sometimes what you know about your corporation’s IT security setup and what the attacker sees are two different things. It’s a sucker punch when it hits, but that’s the nature of the profession. Nevermind distractions (1) and outright interference or denial of requests (2); those are bad enough.

          —–

          (1) Distractions is a bad word here, but how else to describe a situation where you’re short staffed, tasked to the gills already before you lost those other staff members, and then get pressured to meet a deadline (“Get systems x,y,z in HIPAA alignment…” “Get new Two Factor Auth service implemented…”) while trying to do your other, normal duties? Implementing such projects are undeniably important and good things for everyone’s benefit, but if you’re not as vigilant at 7pm, two hours after you were supposed to go home, and don’t pay proper attention to that “Hey, thought you should know this behavior” email because you were bushed, well… again, how else to describe your state without using the word “distracted”?

          2. What if you see a security hole in an organizational IT practice, yet your objection to it gets overridden? Implementing a service that can be hacked (like social hacking SS#/other private info password reset procedures, for example) is bad, but it can happen if the “Good (Convenient/Easy/etc.) For The End Users” argument wins the fight for the CEO’s and other C-level executives hearts. When the damage happens, though, what light will you as the CSO (or other title) be seen in?

        2. John Nelson

          Subjective views of what constitutes a “sophisticated attack” notwithstanding, a company possessing a prize the size of the one under discussion (a database with 80 million “fullz” in it) has no excuse for letting an attacker run around inside their network for over a month before discovery. None.

          1. David Mussington

            Do we know that the attackers were inside Anthem’s databases for an entire month? I haven’t seen this in public reporting elsewhere.

            Still, given that the average duration of breach before discovery (compromise to discovery) is >250 days as of 2014, not too surprising if confirmed.

        3. Robert.Walter

          This is what continuing education, supplier sales presentations, newspapers and external audits are for.

          1. Robert.Walter

            Also add a well informed, curious and pro active board of directors to the list.

  4. Roger M.

    I truly am not surprised at any of the breaches anymore. I have been doing information security for over 20 years. 99% of my customers now just want “good enough” and “what will get me to pass an audit”. So they really do not care at all about security, its all about keeping the business running. Now, I can’t completely blame the business for this but they are playing with fire. These attacks are NOT sophisticated, they are the exact same phishing attacks we see everyday. They don’t want to invest in advanced malware protection, they continue to use traditional firewalls like Cisco ASA base configured, they think crap products like Symantec A/V will protect them. Its the same story over the over and honestly just getting boring at this point. In 5 minutes I can get a password out of a secretary by calling them up, there is no user awareness training and when there is no one listens and they don’t follow up. Whatever, I am done even talking about it. As always Brian thanks for the great info, let’s roast some lizards for dinner.

    1. ChrisG

      I really REALLY feel your pain and am just as frustrated and sick of the lies from these companies getting “hacked”. We do support for local clients, part of which is security. There is nothing sophisticated about these attacks at all, just simple social engineering. None of the businesses we work for want to pay for training and only want the bare minimum of security. Most complain about passwords so they write them on a post-it and stick it to their monitor. There are so many stupid things that people do that if eliminated and enforced, would wipe out almost all these attacks.

    2. John

      Roger, unfortunately there is no silver bullet. There is no one security product that is 100% effective at stopping a motivated attacker. There is no 100% effective defense-in-depth strategy. I would agree, companies need to do more, but you have a draw a line somewhere. If companies are spending 10’s of millions and still getting compromised, then is the investment justified? Not saying I know the answer, just asking the question. Sony just said they do not expect any impact to their financials from their recent event. If no financial consequence from a major breach, then how do you justify increasing security investments? Are Boards asking these types of questions? Something to think about.

      1. Ray

        His point still stands. A lot of these breaches are just basic DoS attacks or something completely silly and preventable. It’s embarrassing.

  5. Mahhn

    To bad the NSA doesn’t do more than spy and let crimes take place. They could actualy be usefull in tracking down the data theives and possible recover it before or as it hits the black market.

    1. kal

      And how do you know that they do not help the FBI when the FBI is investigating breaches?

      1. SpamFodder

        Clearly, Mahhn has no idea what he/she is talking about since the NSA like to plug breaches and the FBI does not. The FBI likes to allow exfiltration to continue for the purposes of investigation and trailing criminal activity.

        1. Mahhn

          Please relay what the NSA has resolved, and I back off thinking so little of them. I would like to see value in them, but it’s just not ovbious. Some good PR would do them good, which is something that doesn’t exit right now.

    2. captainpeachfuzz

      Mahnn, if the NSA were really an internal security organization , this problem would not exist. But we would have a host of other irritations, inconveniences and invasions of privacy (and worse) that would be far more dangerous to our liberty than this current problem with phishing and its derivative activities. Be careful what you wish for.

  6. Alexis Marlons

    Great round ups, really enjoyed your article. It’s very inspiring post. I learned and many great insights here. Thanks for sharing your article.

  7. Paul B

    That’s it. Security freeze time. $5 a pop in Ohio is well worth it. When will it finally cost these businesses real money when this happens? Paying for monitoring is a drop in the bucket, they just chalk it up to cost of business now. There need to be some hefty regulatory fines for losing info like this.

    1. Frank D

      Actually, these instances are more than likely covered by cyber insurance anymore. Lessons the potential financial impact, and then truly does become just another “cost” of doing business.

      1. Joe Joe

        Frank,

        There isn’t enough cyber insurance in the world to cover a breach of this size. Policies this size simply do not exist. The cost of a data breach is typically $230 per record. This does not take into account the litigation that is sure to follow. Also, how do you put a prices on the damage to the reputation of the business? Cyber and data breach insurance is a good idea but let’s keep it in perspective, it’s simply not enough.

        JoeJoe

    2. Dennis A

      In KY, it is $10 per person per credit reporting agency. So, $60 total for me and my wife. For the first time, I am considering a credit freeze.

  8. Dave

    I received a letter from the IRS monday 2/2/15 saying they had questions about mine and my wifes 2014 return. But we did not file yet. Now I’m going through the process of identity theft. Could this have been from this breach so quick? does everyone think this really happened in December?

    1. RBBrittain

      IRS systems are wide open for ANYONE who has your SSN, name, physical address, and possibly DOB to file a fraudulent tax return; that fraud has been rampant for years, and your IRS issue probably had nothing to do with Anthem.

      However, since those pieces of info all appear to have been involved in the Anthem breach, don’t be surprised if tax-return fraud gets even bigger. There’s reports today that Minnesota is no longer accepting state returns from TurboTax due to fraud, though it’s unclear exactly how TurboTax is involved (most return fraud can originate from *any* software or preparer).

  9. billzos

    Crap corporate security policies + crap security software = ? Bet all of these companies have no idea about zEnterprise or DB2 or RACF.

    1. nonyabizness

      This is like an advertisement for IBM equipment….

    2. HilariousMonk

      Oh, I finally get it. It’s not the proper policies and controls, it’s the BRAND of equipment that protects you from hackers! How did we all miss that? bill”zOS”, you are a GENIUS! 😛

  10. SayWhat

    It was more likely the use of “Free” software such as MySQL that opened this company up to getting breached

    1. N

      Nah. I doubt it was any kind of sophisticated attack. Probably a shared password.

      I’ve worked places where the “default” password when reset by the help desk is the same for everyone. Then, they have a group policy set up for “security” reasons where you cannot change your password from this default for 2 weeks.

    2. WhatDoesThatMean

      It was likely the use of free software? Say What?!?! Please explain in detail how you came to this wondrous conclusion.

  11. jim

    Considering the problem, could the hackers be back dooring the security services backdoor? There are at least one security service per country, and an unknown amount of private consulting security services in the good ole, all working for the ole, plus the wanna bees, and the schools teaching the same with the same tools…most schools would teach the forerunner oricale databases and their security, therefore how many attempts were made hourly till one worked?

  12. Dan

    Why on earth does a health insurance company need my Social Security Number? I have already been impacted when Northwest Medical System (NMS) was hacked of millions of patient records Monday. “The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers,” explained NMS spokesperson Pat Driscoll, in a statement.

    http://www.nwahomepage.com/story/d/story/northwest-health-systems-will-notify-any-patient-a/87557/v075xMECZkmCGsNmUfTAig

    1. George G

      If you are on Medicare they need your SS number, since payments to customers are coordinated with what Medicare pays.

    2. Andy

      Anyone with a financial relationship with you wants your Social. It is how they know they can come after you uniquely when you owe them money. It is probably the same reason that income data is there. If they ever offer you any sort of credit (like through an HSA or something), they want that info to determine your credit risk.
      This is an attempt to explain why they want it, not in any way to excuse their negligence in not protecting it.

  13. Cody Wood

    Two comments were wildly conjecturing as to the DB technology being used so I figured the smarter thing to do would be to look at job postings and get an actual idea of any technology being used:

    Database Administrator Sr-96212
    Mentions Teradata products.

    Database Admin Sr Advisor Sen — Warrenton, VA 98403:

    Technical experience with Oracle 11+, Oracle ASM 11+, Microsoft SQL Server 2012, EMC Clariion CX3, Clariion CX4, DMX 1000, and DMX4 SAN Storage.

    Developer Sr Sensitive / Developer Advisor Sensitive Job Family:

    SharePoint 2010 & 2013, experience building customized sites & workflows, SQL Server 2008 & higher, stored procedures and triggers, database design/administration, Java, HTML, XML, JQuery, .Net

    The most interesting by far is, a search for ‘security’ yields only 12 job openings with one being:

    Cloud Encryption Security Professional – Info Security Advisor Job Family (93911)

    Posted yesterday!

    1. Peter

      Hey, Cody. That’s too intelligent and accurate for a blog comment. How dare you actually lift a finger to verify something. It’s perfectly reasonable to assume that a huge insurance company would use MySQL, and here you go ruining everything.

      1. Cody Wood

        Peter, you are absolutely correct I redact the above statement and in it’s place I leave-

        They were probably using IE 5 and forgot to patch their windows firewalls!

    2. Will Leisure

      Very nice find! Ahhh..the cloud. Now we only need Cloudfog to secure the data.

  14. E2

    As a growing Managed IT Services provider, we encounter the “SOS” Some Old Sh*t every day. No budget for security, no patching, passwords stuck to the monitor or keyboard, lots of WinXP out there…. people bitching about having a password other than 654321. Nobody gives a flying crap about security except the Security Industry! I literally get blue in the face talking about security to our clients.

    There is so much low hanging security flaw fruit. Many of our clients are small Dental and Medical offices. Even with the threat of government intrusion with HIPAA/HITECH fines, they still don’t get it.

    There is a constant theme of these small businesses spending much more time and money planning their “Sunny Beach” than a Security breach. Unless and until WE are successful in our march to get these small operators to capitulate to budgeting for security, and actually taking an active role in protecting the client/patient data, we are doomed to cyber criminals “shooting fish in a barrel”.

    It really is a National Security problem that can be significantly reduced by deploying LOW COST simple controls.

    One of my Engineers called a client’s office staff yesterday and asked for the admin password, over the phone she instantly gave it to him. State of Data Security? Pathetic.

  15. Roger B.

    Thurs., 02/05/15
    I received email notification from Anthem BCBS at 12:39 AM today advising that their “state-of-the-art information security system” had been breached, with no date mentioned. It advised that attackers obtained personal information from current and former members such as the names, birthdays, medical IDs/Social Security numbers, street addresses, email addresses, AND employment information, INCLUDING income data. No medical data appears to have been obtained. If you are found to be affected by this breach, Anthem will notify you and provide credit monitoring and identity protection services free of charge.
    I contacted Anthem via their dedicated number 877 – 263 – 7995, and was advised that they do not know if it will be several more days or another week before they will know which member and non-members were affected. The Anthem representatives did confirm that the breach occurred on January 29, 2015.
    This is indeed an unfortunate breach and one which will make many people quite angry given that health insurance is indeed a very sensitive financial and health issue with the public. This is a sorry mess and one in which Anthem’s members will continue to pay for in more ways than just premium increases.

  16. David Longenecker

    This worries me more than any of the other breaches to date: the big headlines of the past 2 years have been payment card breaches, and payment cards are easy to replace. This is ID information, the type of stuff that can be used for full-on impersonation.

    Brian has recommended before putting a fraud alert or security freeze on your credit reports to reduce the chance of new accounts in your name … do that.

  17. How do we do that again?

    We could use a good reminder link to an article on How to put the fraud alert / credit freezes in place please.

    And yes, I find it … sad to hear they will offer “protection” after the fact (which of course really isn’t protection and finding out LATER that the guard at the Great Wall of China was bribed is TOO LITTLE, TOO LATE – The Huns are already in and taking over!)

  18. Hilary

    This absolutely unacceptable. Health insurance companies take our money and do not provide any services, except to now have your identity stolen. I agree with everyone saying that providing our SS number is unsafe in this day and age, and no one should have that information for any reason. This is worse than having your credit card stolen. If we’re required to work with health insurance companies, they should be required to protect our identities. We have fewer and fewer protections and companies (banks, etc.) are going to have to find another way to “judge” us b/c our financial identities are no longer going to be a reliable factor in determining our character. (If they ever were accurate in the first place) Someone needs to start taking these breeches and our financial security seriously and take steps to prevent them.

  19. Andrea

    I was contacted twice by Anthem Blue Cross yesterday from a 410 area code. The message said there was an important message. They left an 855 area code number to call. Upon calling that # this morning, I was asked for personal information so that they could forward the call to Anthem Blue Cross and Blue Shield. I queried the “call center” and was disconnected. I called Anthem Blue Cross to report this and they said they would make a note in my file–the equivalent of dropping a penny in the ocean and hoping someone would find it, if needed. I then called Anthem’s cyber security “hotline” and they confirmed that there had been no authorized calls to me. Perhaps this is just a screw up (with Anthem Blue Cross, that is always a likely scenario), but it could be an attempt to continue collecting data by the hackers. No one at Anthem Blue Cross seemed particularly concerned.

    1. f

      They have said they will mail people, not call, so this was likely a phishing attempt.

  20. Eric

    80 Million SSN’s and PII stolen – just in time for tax season! Pay attention to securing your filing method, folks!

  21. Eric Novikoff

    This breach is likely a great example of how security can be compromised simply by not being aware of how your customers perceive security. The HIPAA rules pretty much require encryption (though unfortunately it is just a guideline) so “protected healthcare information” is usually encrypted on providers’ systems. This makes stealing it much more difficult since you have to not only get access to the data, but also the encryption keys used to make it readable. That’s why it’s very unlikely that this breach was of encrypted data (unless it was an inside job… let’s wait to hear about that one.) Much more likely, those in charge of security decided that customer data that was not covered by HIPAA didn’t need encryption, or they felt that it was OK to have copies of decrypted data lying around on nonessential computer systems which could be reached by hackers. This made it available to traditional attacks such as phishing network break-ins. I’m amused by the discussions on here as to what database software was used: even a minimally skilled hacker could extract all of the data mentioned from any database, no matter what brand or how much you paid for it, once they got access to that database’s command line. If you’re going to secure your client’s data, it is important to determine ALL of the data that is considered sensitive to your clients, and then make sure that it is all encrypted at rest and in motion, and that access to software that works with the decrypted data is strictly controlled via network security and user access security. My experience is that good security = good technology + good processes + good understanding of your customers’ security expectations If you miss something in any one of these three pillars, you’re going to let your customers down.

  22. TheDonald

    The timing of this interesting as well. Many employers do their annual ‘open enrollment’ in December. So this was likely timed to maximize the amount of data available to ex-filtrate.

  23. Androste

    This is rich. Anthem has known of cyber security weaknesses in its systems at least till 2013. http://www.latimes.com/business/la-fi-anthem-hacked-20150204-story.html#page=1
    Their publicity stresses that credit card and health info has not been taken. That is little if any comfort. The hackers took enough info to piece together a full picture of each person by joining the stolen data with data from other sources (probably also stolen).
    Of interest to Federal workers and retirees, Anthem handles FEP Blue Cross Blue Shield in Wisconsin and several other states.
    Thank goodness for Brian and his dogged and amazing research. We need to give him a much bigger megaphone than his book, articles, and the help he gives the good guys.
    Thank you. Thank you. Thank you, Brian.

  24. Ron G.

    When they came for the Home Depot credit card users data, I didn’t care, because I wasn’t a Home Depot credit card user.

    When they came for the Sony Pictures data, I didn’t care, because I wasn’t a Sony Pictures employee or stockholder.

    I *am* however an Anthem customer, and now I am PISSED OFF!

    Whenever I read about a new one of these breaches… which seem to be pretty much a daily occurance now… two words spring immediately to mind… air gap. (Not that this saved the Iranian nuclear facilities, but it *is* possible to glue closed all of your USB ports and optical disk drives, so you really can isolate a given internal network frm pretty much everything… except internal admin Snowden types of course.)

    Seriously… WHAT THE BLEEP IS WRONG WITH ALL THESE PEOPLE? Why is so much critical data being stashed in places where some skilled miscreant in Kiev, or Sofia, or Pyongyang can even get to this stuff?

    Two reasons, probably. Number one is probably that some anal V.P. wants to be able to connect and check up to see that his minions are indeed working their asses off, even while he’s off enjoying his vacation home in the Bahamas. Number two is that businesses are cutting costs by putting all data online and telling their customers to “use the web site” rather than calling customer service. It’s a false economy, which, it seems, they don’t realize until they get hacked.

    1. bob

      Its completely unseasonable to expect a large corporation to airgap the PCs that hold PII (customer data). This would made it impossible for the data to be accessed remotely so there would make it impossible to access your account details online. Further, it would require the entire staff responsible for that data to work in one facility. Finally, managing that data would be an absolute nightmare since every computer would have to be updated individually.

  25. Chris

    This article from the IBTimes suggests a stolen user credential was being used to search a database.

    “Anthem discovered the security breach last week when an employee noticed someone was searching a database using his credentials. Investigators tracked the data to a cloud service outside of the company, where they were able to lock it down, Anthem says, although it doesn’t know if hackers had already copied the data or moved it elsewhere.”

    http://www.ibtimes.com/hackers-steal-millions-social-security-numbers-health-insurance-company-anthem-inc-1806094

    1. Cody Wood

      If that article is accurate I would venture a guess that the service being accessed is Teradata as it is mentioned in a few of their job postings. From a brief glance of Teradata’s offerings they aggregate and compile large data sets from different sources for analysis….if this is the attack vector. Sophistication would be equivalent to “hacker got a password to DB and downloaded it all….” COMPLETE CONJECTURING but an interesting theory nonetheless.

      1. bob

        My thoughts exactly. PII data should never be accessible from an outside network. If that article is true, I have a hard time believing this company has an infosec department.

  26. Ron G.

    I forgot to add one other comment:

    I do wonder just how much the criminals now know about all of my medical conditions and all of my medications and so forth.

    Not that I personally have much to care about on this score. But I can pretty easily imagine there being lots of people with STDs who are Anthem customers and who might now be subjected to extortionate shake downs, i.e. threats to publically “out” their condistions.

  27. Daryl A.

    The best security that isn’t tested, validated and re-validated is probably more expensive than you needed to begin with, and in the end, worthless. This attack, however sophisticated will have the same hallmarks as all the ones that preceded it, and the same excuses. It’s time to get serious, it’s time to know what all that security expenditure is actually doing.

  28. criticalthinker

    If they had been using the free UAQUAS system license this attack would have never succeeded!

    UAQUAS examines the IP addresses that connect to a host and ensure that they are connected to an authorized program or a current web session, and if not kills the connects and blocks that IP address.

    The imposter tour on the uaquas.com web site shows how.

  29. Will Leisure

    If the daterrr were encrypted and the keys indeed ‘secured’, this would be a non issue. Do the needful!!

Comments are closed.