Health insurance company Anthem recently acknowledged that a “very sophisticated external cyber attack” provided hackers with access to the company’s IT system, exposing current and former members’ personal data.
The New York Times reports that the breached database contained the personal information of as many as 80 million current and former customers and employees, making it potentially the largest health care breach to date.
Information accessed by the hackers includes current and former members’ names, birthdates, medical IDs or Social Security numbers, street addresses, email addresses, and employment information, including income data.
At this point, Anthem doesn’t believe any credit card information or medical data was compromised.
“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” Anthem president and CEO Joseph R. Swedish said in a statement.
Impacted plans include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
All those affected will be notified by mail, and will be offered free access to credit monitoring and identity protection services.
RedSeal senior director Martin Walter told eSecurity Planet by email that information of the type stolen from Anthem, including personally identifiable information and Social Security numbers, is worth more than 10 times as much as credit card data on the black market. “The interesting thing here is comparing the value of this information to the spending on security in the healthcare sector, which is disproportional,” he said. “Credit card information in retail tends to be better protected than personally identifiable information and Social Security numbers in healthcare, even though it’s less valuable in terms of selling price.”
And Jaime Blasco, vice president and chief scientist at AlienVault, said by email that the breach could prove to be a nightmare for the millions affected. “It is yet unclear who is behind the attack, but if the [hackers plan] to sell that information on the black market, it means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts,” he said.
Lee Weiner, senior vice president of products and engineering at Rapid7, said Anthem members should also be wary of social engineering attacks. “These would likely be in the form of emails or calls designed to trick worried consumers into taking an action or sharing confidential information such as financial details,” he said.
“Consumers should be suspicious of any unsolicited calls or emails — don’t click on links, or provide personal information over the phone or email,” Weiner added. “If you get a call, offer to call back and use your search engine to find the appropriate number. Do likewise for any emails.”
Protegrity CTO Ulf Mattsson offered the following tips for healthcare organizations seeking to avoid a similar breach:
- Apply enterprise-wide fine-grained de-identification of personally identifiable information and personal health information to protect your patients’ and employees’ privacy, while retaining the ability to mine and analyze the data.
- Apply fine-grained tokenization of PHI information to alleviate the need for clear text data and exposure in-memory across the entire data flow.
- Implement policies requiring strong credentials, including password improvement and rotation, as well as a separation of duties, to prevent privileged users such as DBAs or system administrators from accessing sensitive data.
- If breaches cannot be wholly prevented or detected in real time, then you must secure the data to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.
- Independently verify solutions that protect the data itself. Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data.
Tripwire director of IT security and risk strategy Tim Erlin said it’s safe to assume Anthem will face a congressional investigation. “We can expect this incident to add more fuel to Obama’s cybersecurity initiatives,” he said. “2015 could be the year of meaningful cybersecurity legislation.”