The onslaught continues.
On Wednesday night Anthem, the second-largest health insurer in the United States, announced that it had succumbed to a massive cyber attack. It may be the largest hack to hit the health care industry to date.
The company, formerly known as WellPoint (WLP), has nearly 40 million customers that appear to be at risk, but the breach may have also exposed personal information for the company’s past customers, too. In total, the names, social security numbers, e-mail addresses, birthdays, street addresses, member IDs, and employment information (including salaries) for some 80 million people may been compromised. No credit card or medical data seems to have been taken.
According to an FAQ provided by the company, the following Anthem brands were impacted by the hack: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company promises to provide credit monitoring and identity protection services free of charge to those affected.
“Anthem’s own associates’ personal information—including my own—was accessed during this security breach,” wrote Joseph Swedish, president and CEO of Anthem, on a Web site—www.anthemfacts.com—the company set up amid the attack’s disclosure. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Anthem has employed Mandiant, a division of cyber security firm FireEye, to investigate its attack. Mandiant was also called upon to investigate the last major attack to hit the health sector, which involved Community Health Systems, a Tennessee-based hospital operator, in August. That earlier breach consisted of 4.5 million records being compromised from April to June—and, like Anthem’s breach, did not appear to target medical or financial information.
Mandiant pegged the Community Health Systems attack on Chinese hackers, an “Advanced Persistent Threat” group that normally targets U.S. intellectual property. Following that breach, the FBI issued a one page flash warning to the healthcare industry urging companies to be on the lookout for attacks.
As reported by Reuters, which had obtained a copy shortly after it was disseminated, the agency said:
The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII)…. These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.
One problem the health industry faces is that many companies within rely on aging computer equipment—an easy target for vulnerability-seeking miscreants. “Legacy systems running outdated software and vulnerable application elements are contributing to these companies being a prime target for compromise,” says Jay Kaplan, CEO of Synack, a security firm that sells subscription security software, and a former NSA senior cyber analyst. “All of our healthcare information, from insurance claims to patient records, is being moved online for convenience. We are at the liberty of these companies housing our sensitive data to adequately protect this information.”
According to V. Miller Newton, CEO of data encryption company PKWare, the corporate world will see a major hack every month this year—at least. The only way to solve the problem? “By armoring the data at its core with persistent encryption,” he says, which would render sensitive data into garbled text.
“Old antiquated computers are not the problem,” Newton says. “The problem is that adversaries are going to continue to penetrate these systems no matter what level of perimeter network security they have in place. Every other major company and health provider in this country has to start to think about this problem differently. They have to think about it from the ‘information out’ versus the ‘network in’ perspective—that paradigm shift is starting to happen now, but it has to happen a lot more quickly.”
An FBI spokesperson declined to comment beyond the statement the agency had issued saying that the agency was aware of the intrusion and is investigating it. “Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” said FBI spokesman Joshua Campbell. “Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”
In terms of scale, Anthem’s breach looms large when compared to other breaches that have made headlines. Last year, Home Depot (HD) disclosed that up to 56 million credit cards had been looted. In 2013, Target (TGT) suffered theft of 40 million customers’ credit cards and had lost the personal information of another 70 million. Unlike those attacks, Anthem’s is believed to not involve credit cards.
When hackers infiltrated J.P. Morgan (JPM) and stole personal information from around 80 million customers, they did not acquire highly sensitive data like social security numbers, as they have in the case of Anthem.
Chris Petersen, CTO and co-founder of LogRhythm, a security intelligence company in Boulder, Colorado, said: “The barrier to entry for cybercriminals continues to decrease, and personal health information can trade at a premium on the black market. Healthcare providers and insurers are a veritable treasure trove for would-be attackers, not only storing PHI but also card holder data. The Anthem breach should put all healthcare providers and insurers on notice.”
For current and former customers who believe they have been affected, Anthem has provided a toll-free phone number (1-877-263-7995) where it has promised to address questions related to the “very sophisticated external cyber attack,” as Swedish referred to it. When this reporter dialed the extension, though, he was met with a busy signal.
