Anthem Hit by Massive Data BreachAs Many as 80 Million Could Be at Risk of Identity Fraud
Health insurer Anthem Inc. has suffered a massive data breach after hackers gained access to a corporate database reportedly containing personal information on as many as 80 million of the health insurer's current and former U.S. customers and employees.
See Also: The Power and Scale of XDR
"Anthem was the target of a very sophisticated external cyber attack," says Joseph R. Swedish, president and CEO of Indianapolis, Ind.-based Anthem Inc., on a dedicated Anthem Facts website that includes a FAQ relating to the breach. "These attackers gained unauthorized access to Anthem's IT system and have obtained personal information from our current and former members, such as their names, birthdays, medical IDs/social security numbers, street addresses, e-mail addresses and employment information, including income data," he said.
To date, the company, formerly known as Wellpoint, says its digital forensics investigation - which is ongoing - has not found any evidence that credit card data or medical records were stolen. The company says it is working with the FBI, and also hired incident response and remediation services firm Mandiant, a FireEye company. "Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised," Swedish says.
An Anthem spokesperson says the company is attempting to confirm "how many were actually affected" by the breach of the massive database. The hacking incident could be "one of the biggest data breaches in history," says cybersecurity researcher Jaime Blasco, chief scientist at security hardware vendor AlienVault.
Anthem says every one of its insurance plans and brands has been affected by the breach, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
"If you are wondering what it means for individuals, in a few words: it is a nightmare. If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes," Blasco says.
Breach Specifics: Scant
Anthem Health says it does not yet know exactly which customers' information was exposed, or who might be behind the breach. "At this time, no one person or entity has been identified as the attacker," Anthem's data breach FAQ says. "We continue working to identify the members who are impacted. We will begin to mail letters to impacted members in the coming weeks." In terms of identity theft services, the business says it will advise affected customers of "the protections being offered" when it mails the data breach notification letters.
The lack of information about the breach begs the question of how the health insurer can label the related attack as having been "sophisticated." The use of that word has become common in data breach notifications, and its use may represent "expectation setting so people don't think it could have been prevented," says University of Surrey visiting computer science professor and Europol cybersecurity adviser Alan Woodward. "No one ever says it was 'simple.'"
It also is unclear if the health insurer was using industry-standard "sophisticated" defenses, such as correctly encrypting stored customer data in case attackers should gain access to a critical corporate database.
Discovered In December?
Dublin-based information security consultant and Europol adviser Brian Honan notes that the Anthem Facts website that contains breach details was first registered on Dec. 13, 2014, which suggests that the breach occurred at least six weeks ago. But it's also possible that Anthem does not yet know when the breach began.
"This incident raises [that] old classic: when did they know [versus] telling those affected," Woodward says. "When do you know enough to announce?"
The Health Information Trust Alliance says in an alert that it was notified of the breach after it occurred, and issued related indicators of compromise - "consisting of MD5 hashes, IP addresses, and threat actor e-mail addresses" - via its paid "threat exchange." HITRUST declined to say when it received that notification, but says that after reviewing the attack specifics, it believes the attacker was "a targeted advanced persistent threat (APT) actor," and thus "determined it was not necessary to issue a broad industry alert."
@BrianHonan spooky. That's the very question I was asking. I suspect they're still trying to find out :(ï¿½ Alan Woodward (@ProfWoodward) February 5, 2015
FBI: Spear-Phishing Alerts
The Anthem breach alert follows Community Health disclosing in August 2014 that information on 4.5 million of its patients had been exposed due to a data breach. The hospital chain blamed the breach on Chinese hackers using a spear-phishing attack. In the wake of the breach, the FBI issued a flash alert, warning of an increase in spear-phishing attacks - which are frequently used by so-called APT attackers - that appeared to be targeting healthcare firms' and medical device manufacturers' intellectual property.
"It was the second warning [the FBI] had issued in a period of a few months," says the privacy rights expert "Dissent" in a blog post. "In fact, the number of warnings about attacks on the healthcare sector has been increasing steadily" since February 2014, when the SANS Institute and information security firm Norse issued a report warning that numerous healthcare endpoints were inadequately secured and being regularly hacked, Dissent adds.
If details of Anthem's breach are confirmed by the Department of Health and Human Services, it will by far be the largest healthcare sector breach since HHS began tracking breaches in September 2009. While the Community Health Systems breach last year was the largest known hacking attack on health related data to date, the biggest breach overall until now was a September 2011 breach affecting 4.9 million individuals and involving TRICARE, a U.S. military health program.
Given the potential scale of the Anthem Health breach, it's a sure bet that states' attorneys general and federal legislators will demand that the health insurer release full details of the attack as quickly as possible.
In the wake of Anthem's breach notification, security experts say all of the insurer's customers should beware of targeted phishing attacks.
Security researchers will also be watching black-market sites for evidence of Anthem customer data coming up for sale, AlienVault's Blasco says. "It is yet unclear who is behind the attack, but if the group behind that compromised Anthem and plans to sell that information on the black market, it means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts," he says.
In an ironic twist, he adds: "They can even obtain medical care using your information."