Anthem’s Massive Hack Worse than Anticipated

Health insurer Anthem Inc. recently suffered a massive hack, exposing up to 80 million customers and employees according to the LA Times. This information included their President and CEO Joseph R. Swedish.

In response, Swedish issued a personal statement to Anthem members:

These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.

While the claims that no credit card numbers or diagnosis / treatment data was stolen are earnest, the data leaked is enough to verify identities of members to third-parties. That’s part of why health IT data is more valuable on the black market than credit card data, which has rigorous consumer protections in place.

Anthem’s legal liability might end there but the troubles consumers could potentially face really just begin.

The fact employee data was also leaked poses a human intelligence quandary as there’s enough data to “spoof” the identity of employees and gain further access or sell customer data to spoof their identities with banks, home mortgage agencies, etc. It’s a low-tech approach to gaining access to high-tech systems. The highest-profile hackers, such as Kevin Mitnick, previously employed these methods to subvert even federal systems. How can organizations prepare effectively against people who have the data to back-up that they are who they say they are?

Compounding this, many health care providers are on legacy computing systems, still utilizing Windows XP and Internet Explorer 8 despite security patches ending. You can read more on this in our previous article “Healthcare IT Lessons: New Security Risks and Scaling Projects.”

Never-the-less, Anthem Inc. has set-up a website dedicated to the hack AnthemFacts.com.

UPDATE: The Washington State Office of the Insurance Commissioner is reporting that some Washington Apple Health beneficiaries have been impacted.