Anthem Hacked in ‘Sophisticated’ Attack on Customer Data
Bloomberg (02/05/15) Harrison, Crayston
Anthem Inc., the second largest U.S. health insurer in terms of market value, said hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack that has led to an FBI probe. The information included everything from names, birth dates, and Social Security numbers to street and e-mail addresses and employee data, including income. The company has pledged to notify all customers who were affected and provide credit and identity-theft monitoring services for free. An Anthem statement read: “As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating with their investigation.” The Anthem breach is believed to be the largest in the health-care industry since Chinese hackers swiped Social Security numbers, names, and address from 4.5 million patients of Community Health Systems Inc., the second-biggest for-profit hospital chain, in 2014.
Experts Suspect Lax Security Left Anthem Vulnerable to Hackers
New York Times (02/06/15) Abelson, Reed; Goldstein, Matthew
The cyberattack on Anthem, one of the country’s largest health insurers, highlights the vulnerability of health care companies. Anthem’s data was vulnerable because the company did not take steps, such as using encryption, in the same way it protected medical information that was sent or shared outside of the database. Anthem officials say they do not know who is behind the attack, but several security consultants have noted that in the past Chinese hackers have shown an interest in going after health care companies. The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee. The insurer, along with federal investigators and security experts from FireEye’s Mandiant division, is now trying to determine whether there were other requests that it did not detect, a process that could take several more weeks. Security professionals say the company’s decision to make the breach public quickly means that it is early in the investigation into exactly what happened and what information may have been compromised. “You can spend months doing the forensics,” said Fred Cate, a law professor and cybersecurity expert at Indiana University. While he praised Anthem for taking the “unusual and quite laudable step in coming forward quite quickly,” he cautioned that company officials might not know the scope of the attack at this point. Still, Cate said the medical information was not likely to result in the public unveiling of sensitive medical information, unlike smaller attacks aimed at finding something embarrassing or derogatory about an executive or celebrity. “As a general matter, huge breaches often result in less harm than targeted breaches,” he said. “The notion that someone’s poring over this data is highly unlikely.” The decision by Anthem to bring in the Federal Bureau of Investigation and go public with the breach is the kind of move that law enforcement officials have been encouraging for the last several months. FBI officials have appeared at a number of industry conferences urging corporate executives to promptly report breaches and, when possible, share information about the breach with competitors.