Breathtaking Anthem breach puts millions at risk of identity theft

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

Anthem Inc., the nation’s no. 2 health insur­ance com­pa­ny, dis­closed Wednes­day that hack­ers plun­dered all of its busi­ness units of per­son­al data for tens of mil­lions of its cus­tomers and employees.

In an open let­ter post­ed online late Wednes­day, Anthem pres­i­dent and CEO Joseph R. Swedish dis­closed that hack­ers thwart­ed the company’s state-of-the-art infor­ma­tion secu­ri­ty sys­tems by means of a “very sophis­ti­cat­ed exter­nal cyber attack.”

The thieves pil­fered per­son­al infor­ma­tion of cur­rent and for­mer health plan mem­bers and employ­ees includ­ing names, birth­datets, med­ical IDs, Social Secu­ri­ty num­bers, street address­es, email address­es and employ­ment infor­ma­tion, includ­ing income data.

More: A call for a data breach warn­ing label

Based on what we know now, there is no evi­dence that cred­it card or med­ical infor­ma­tion, such as claims, test results or diag­nos­tic codes were tar­get­ed or com­pro­mised,” Swedish says. “Anthem’s own asso­ciates’ per­son­al infor­ma­tion — includ­ing my own — was accessed dur­ing this secu­ri­ty breach. We join in your con­cern and frus­tra­tion and I assure you that we are work­ing around the clock to do every­thing we can to fur­ther secure your data.”

Data exposed forever

USA TODAY is report­ing that the num­ber of vic­tims could reach as high as 80 mil­lion. These are folks whose per­son­al infor­ma­tion, includ­ing Social Secu­ri­ty num­bers, are now and for­ev­er in play in the cyber under­ground. Dig­i­tal data nev­er goes away.

While the scale of the Anthem breach is breath­tak­ing, it should come as no sur­prise. Health­care data­bas­es are easy to hack and stolen per­son­al data is high­ly val­ued in the cyber under­ground. Hack­ers typ­i­cal­ly sell the stolen  data to con artists who then use the data for a wide array of iden­ti­ty theft scams. And law enforce­ment has a dif­fi­cult time keep­ing up.

Con­tin­u­ing a three-year trend, breach­es in the Medical/Healthcare indus­try rep­re­sent­ed 43.5 per­cent of the breach­es cat­a­logued by the Iden­ti­ty Theft Resource Cen­ter in 2014 top­ping the busi­ness sec­tor which account­ed for 33 per­cent, fol­lowed by the Government/Military sec­tor at 11.7 per­cent, the edu­ca­tion sec­tor at 7.3 per­cent and the finan­cial sec­tor at 5.5 percent.

Scam alert

What we  all should do next is check our health plans for ties to Anthem. The com­pa­ny in its cur­rent form took shape in 2004 when Anthem Insur­ance Com­pa­ny bought Well­Point Health Networks.

Accord­ing to Anthem’s FAQ, the sub­sidiaries that lost data include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Geor­gia, Empire Blue Cross and Blue Shield, Ameri­group, Care­more, Uni­care, Health­link, and DeCare.

The com­pa­ny said it plans to con­tact cus­tomers whose data was stolen and offer pro­tec­tions and guid­ance. But you may not want to wait for Anthem to get its act togeth­er, says Dwayne Melan­con, chief tech­nol­o­gy offi­cer at IT secu­ri­ty firm Trip­wire.

Indi­vid­u­als who are affect­ed, or poten­tial­ly affect­ed, should freeze their cred­it reports imme­di­ate­ly with the three major cred­it bureaus – Equifax, Tran­sunion, and Exper­ian – to reduce the risk that any­one can open new lines of cred­it in their names,” Melan­con says. “This is also a good reminder that you shouldn’t use any of your per­son­al­ly-iden­ti­fi­able infor­ma­tion as answers to your ‘secret questions’ “

Cus­tomers and employ­ees of Anthem and its affect­ed sub­sidiaries ought to  also be high alert for sus­pi­cious-sound­ing email and phone calls pur­port­ing to be relat­ed to this breach. Scam­mers will be out in full force over the next few days aim­ing to jump on the coat­tails of this breach.

Any pitch that ref­er­ences the Anthem attack as rea­son to get you to divulge account data is very like­ly a scam. Be safe by being distrustful.

For more con­text see ThirdCertainty’s three-part series Health­care data at risk:

Part 1, Jan. 5: Why med­ical records are easy to hack, lucra­tive to sell

Part 2, Jan. 7, How thieves and scam­mers are cash­ing in.
Part 3, Jan. 9:  How the Inter­net of Things will exac­er­bate exposures
Guest essay: Why hos­pi­tals need to go beyond HIPAA com­pli­ance to secure data

Posted in Data Breach, Identity Theft, News & Analysis