Once again a company that we trust with our health and personal information has betrayed that trust. Cybercriminals were able to hack into an Anthem database that contained up to 80 million records of current and former customers and company employees. The information now in the hands of criminals includes names, Social Security numbers, birthdays, postal and email addresses, and employment information including income data.
Anthem stated that no credit card or medical information was compromised, but the information that was stolen is sufficient to launch successful identify theft attacks against every one of the tens of millions of compromised individuals.
Anthem noted the intrusion on January 29, but based on analysis of the cybercriminal infrastructure likely used suggests that the attackers first gained a foothold into Anthem’s servers in April 2014, nine months before Anthem noticed the attack. One link in the chain of establishing the Malware at Anthem went through China. Whether that is a significant fact is unknown at this time. Anthem immediately notified the FBI.
Since admitting the attack, Anthem has been sharing information about the attack including IOCs (indicators of compromise) with HITRUST, the Health Information Trust Alliance, and NH-ISAC, the National Health Information Sharing and Analysis Center. These groups disseminate information about cyber threats to the healthcare industry. So far, these IOCs have not been discovered by other health care organizations. It appears that this attack was focused against Anthem.
Clearly, Anthem is not paying attention to the security of their customers’ data. None of this data was encrypted. Anthem has contracted with Mandiant, a cybersecurity firm, to evaluate their security systems and identify solutions. Seems to me they are a year late with this kind of analysis.
The brands impacted by this breach: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, and Healthlink. It can also impact anyone holding a BlueCard. A BlueCard enables members of one Blue Cross / Blue Shield plan to obtain healthcare sevices while traveling or living in another service area. Blue Cross / Blue Shield Federal Employee Programs are also impacted. This information is linked through a single electronic network throughout the US and 200 other countries and territories.
What should you as an individual do if you think you were impacted?
- You may receive an email apparently from Anthem. These emails are not from Anthem and are scams attempting to get your personal information. Do not click on any link in such an email.
- You may also receive a phone call apparently from Anthem about the attack. These calls are also not from Anthem. As always, do not give out credit card or Social Security numbers over the phone on any call you did not initiate. Hang up.
- According to Anthem you should receive a letter in the mail “in the coming weeks.” That letter will advise you of the protection(s) being offered.
- Take whatever identity theft services they offer.
- Continue to monitor all of your financial accounts, including mortgage, investment, and loan accounts.
- Consider putting a security freeze on your credit reports at each of the three reporting companies, Equifax, Experian, and TransUnion. Since most businesses will not open a new account without first checking your credit history, if they can’t access your credit history they are quite likely to deny someone getting credit in your name. It may cost you a few dollars, but it really does stop most identity theft. Availability and cost vary by state. If you want to request credit, you can lift the freeze enough to let a specific request be accepted.
If you are responsible for the personal information of your customers, employees or contractors, how vulnerable are you? You should not guess the answer. Find out, before you become the next Anthem.
Anthem will have some very stiff fines as a result of this breach. Between 2009 and 2013, HIPAA has levied fines of more than $25 million for data breaches. But this attack impacts more than twice as many people as all of the 2009-2013 breaches involving fines combined.
In 2014, Columbia Medical Center was fined $4.8 million for a data reach involving less than 10,000 people.
The last word:
Sometimes personal data is “released” on paper. Hundreds of documents from the Philadelphia Adult Probation and Parole Department were found in early February strewn across several streets in part of Philadelphia. These documents contained names, addresses, birthdates, Social Security numbers and signatures. The best guess as of this writing is that one or more boxes of information fell of a truck on the way to a nearby recycling center. The documents were not shredded.
Keep your sense of humor.