Healthcare information security

The Breach of Anthem Health - the Largest Healthcare Breach in History

Chris Sienko
June 11, 2016 by
Chris Sienko

It was February 4, 2015, and an announcement that would shake the medical and insurance industries to their core was about to be made. Anthem, Inc., experienced a massive data breach during which more than 37.5 million records were stolen by hackers. The attack actually began well before February, and experts place its beginning somewhere in December of 2014.

Who Is Anthem?

Anthem, Inc., is the US health insurance giant behind brands like Blue Cross and Blue Shield, Anthem Insurance Company, Amerigroup, Caremore, and many others. The massive company employs more than 37,000 people and had a reported net income of $2.66 billion in 2012. Currently, Anthem is the second largest insurer in the United States.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

The Breach

In December 2014, Anthem employees noticed suspicious database queries being made. This was not a one-time attack, and incursions continued throughout December, and almost until the end of January 2015. Investigators confirmed unauthorized data queries to the company’s servers on January 29, 2015.

In all, close to 80 million Americans have had their personal information exposed to hackers, with quite a bit of sensitive information being stolen. Anthem and the FBI report that it doesn’t seem as though any credit card or other financial information was stolen, but the details of what was stolen are frightening. Hackers stole:

  • Full names
  • Physical addresses
  • Email addresses
  • Social Security numbers
  • Birthdates
  • Insurance membership numbers
  • Medical IDs
  • Employment information
  • Income data

It should be noted that, while medical IDs and membership information was included in the data stolen, no actual medical records or other medical information was compromised. In fact, the medical information wasn’t even the target – thieves have much more use for birthdates, physical addresses, and employment information than they do for whether someone is having chemo or had an x-ray last year.

The company’s statement began, “On January 29, 2015, Anthem, Inc. (Anthem) discovered that cyber-attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information.”

So, what does “sophisticated attack” actually mean? Just how “sophisticated” does an attack need to be in order to compromise the personal information of 80 million Americans? The answer might just surprise you. The attack wasn’t really all that sophisticated. Anthem simply failed to protect against it.

The Truth about the Anthem Hack

The plain and simple truth about the hack is that Anthem failed to encrypt their files. Because no medical information was compromised, this does not fall under HIPAA/HITECH, although it reflects very poorly on the company, pointing to laxity in their view of security toward personal information. The fact that employee data was among the tens of millions of records stolen is cold comfort to everyday Americans who trusted the insurance giant to safeguard their data.

According to a story written by Michael Hiltzik for the LA Times, “Often it turns out that the breach isn’t so sophisticated, but that hackers exploited known vulnerabilities in the target’s system. That appears to be the case with Anthem. The huge healthcare firm didn’t encrypt the huge volume of personal information it held, for example. While there’s a debate over whether encryption would have stopped the breach, some experts say its absence points to a general laxity at Anthem about cyber-security.” It should be noted that Anthem was not legally required to encrypt this data, although the healthcare giant could face lawsuits in civil court over this.

Of course, Anthem hasn’t been particularly transparent about what went on, when or much else about the situation, but some details have filtered out. It seems as though hackers were able to get their mitts on network credentials for multiple individuals within the company who had high-level access to the IT system. The most likely means of doing this is phishing, although it’s true that those credentials could have been exposed in other ways.

Phishing scams, according to the University of Indiana, “are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.”

The breach has actually triggered further phishing scams for the company’s customers. Anthem quickly issued a warning to all members shortly after their announcement of the breach itself, warning customers about “scams designed to capture personal information, that appear as if they are from Anthem, and the emails include a ‘click here’ link for credit monitoring.” Phishing phone calls related to the breach have also been reported. Anthem urged members not to click on any links in emails, and noted that they were not calling any members. Instead, they would be limiting all correspondence to written form.

In all, the breach affected a wide range of Anthem branches, including the following:

  • Anthem Blue Cross
  • Anthem Blue Cross and Blue Shield
  • Blue Cross and Blue Shield Georgia
  • Empire Blue Cross and Blue Shield
  • UniCare
  • HealthLink
  • Amerigroup
  • Caremore
  • HealthKeepers
  • Golden West

So, what is the stolen information being used for? The most common thing for hackers to do is to sell the information on the black market. Once in the hands of buyers, the information is used for identity theft, allowing nefarious individuals to take out credit cards in a member’s name, obtain loans, and a great deal more.

What Was Anthem’s Response?

Anthem’s initial response was to investigate the series of unauthorized data requests to confirm their nature. When it became clear that it was a successful hack, the company notified the FBI. In fact, an FBI spokesperson went so far as to praise the speed of Anthem’s reaction, saying, “Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion.”

Of course, alerting the FBI after an attack has occurred does little to alleviate the damage done to the company’s customers. However, Anthem has advised all members who might have been affected by the breach, alerting them to the fact that data was stolen, as well as the types of information the hackers targeted. Members with questions or concerns can use the Anthem Facts website to learn more, or call 877-263-7995. They’ve taken things several steps further, and have partnered with AllClear ID to provide a full 24 months of credit monitoring, as well as identity theft repair.

The letter sent by Anthem to its members stated, “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind.”

Of course, credit monitoring is only of so much use, as by the time an alert is received by a consumer, the damage has already been done. Identity theft repair is a more critical service, and can be used to help undo most of the damage identity thieves might be able to inflict. And experts point out that this damage can go well beyond opening a new line of credit or applying for a loan. With the type of personal information stolen, thieves can actually create entirely new identities and get drivers’ licenses or even passports. There is a wealth of opportunities available to those with a willingness to commit this type of crime.

Anthem has also partnered with Mandiant to investigate the breach, as well as the company’s security protocols and systems. Mandiant, a FireEye company, is one of the top-ranked forensic cybersecurity firms in the world. While details regarding Mandiant’s efforts have not been forthcoming, it is known that the company worked with a high-profile client to defeat a professional hacking team the likes of which have never been seen. Mandiant did not confirm that this was Anthem – it could have been any number of other companies – but the security firm did state that at least six other major firms were being fleeced by the same hacking organization.

Finally, as mentioned previously, Anthem is confining all communications with members to letters sent through the US Post Office. They did not and will not email or call members about the breach, and any phone calls or emails concerning the breach should be considered phishing attempts.

Arming Yourself: Knowing the Signs of a Phishing Attack

The rise of Anthem-related phishing scams targeted at the company’s members spiked sharply immediately after the breach was identified, a clear sign that the information stolen had been sold on the black market. The only defense against these scams is to make use of Anthem’s offered credit monitoring and identity theft repair services, and to know the signs of a phishing scam.

Phishing has been around for a long time. Ever received an email from PayPal chock-full of typos? Phishing. However, despite the fact that it is so very widespread, there are many people out there who simply don’t know what to look for.

Typos: This is generally a dead giveaway, but remember that hackers learn. Just because an email doesn’t have any typos doesn’t necessarily mean it’s safe. Think twice or even three times before you click a link.

Attachments: Don’t open attachments. Just don’t do it. Even if it’s from someone you know, don’t open it. The only time you should open an attachment is if you’ve been communicating with someone you know and are expecting them to send a file, and the filename matches what it should be. Even then, it’s best to run the file through your security software.

Links: The golden rule here is just don’t click links in emails – ever. Even if the message is from a retailer you trust, and it’s about an item you’ve been agonizing over buying for weeks, don’t do it. Instead, open your browser and type the URL yourself. That way, you at least know you’re not being redirected to a spoofed site.

Know URL Structure: If you mouse over a link in an email, the full URL should be displayed. By knowing how URLs should be structured, you can avoid many phishing scams. For instance, a link to Microsoft.com.US1.com would obviously not be from Microsoft.

Asking for Personal Information: Here’s where things get tricky, and this is probably what happened with Anthem. If you receive an email from anyone, anyone at all, asking for personal information, do not give it to them. If your boss emails and asks for your Windows login information, walk down the hall and check with him. If your assistant emails to ask for the bank login information so he can make a deposit, physically speak with him in person. Never, ever give out any form of personal or financial information in an email.

Personal Information on the Phone: Phishing isn’t constrained to the Internet. Attackers will try to get to you through the phone as well. If the caller is asking for personal information that they should already have (an insurance company asking for your Social Security number, for instance), don’t give it to them.

In Conclusion

The Anthem debacle remains the largest healthcare hack in history, and while it might have happened in 2015, the ramifications continue to affect millions of Americans every single day. Information is the new form of wealth – with a consumer’s personal information, even something as simple as a full name and physical address, these individuals can do very bad things.

And Anthem is not the only company to have experienced such a breach. There have been many others, including Target, Home Depot, JPMorgan Chase, and even Experian and eBay. You can expect the trend to continue as companies too slow in adopting modern security safeguards continue to put consumer information at risk, and hackers take advantage of their laxity.

 

Sources:

https://www.anthem.com/ca/provider/f1/s0/t0/pw_e230409.pdf

http://www.bankinfosecurity.com/anthem-breach-phishing-attack-cited-a-7895

http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/

http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/

http://www.latimes.com/business/la-fi-mh-anthem-is-warning-consumers-20150306-column.html

https://www.anthemfacts.com/

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

 

Chris Sienko
Chris Sienko