Breathtaking Anthem breach puts millions at risk of identity theft
By Byron Acohido, ThirdCertainty
Anthem Inc., the nation’s no. 2 health insurance company, disclosed Wednesday that hackers plundered all of its business units of personal data for tens of millions of its customers and employees.
In an open letter posted online late Wednesday, Anthem president and CEO Joseph R. Swedish disclosed that hackers thwarted the company’s state-of-the-art information security systems by means of a “very sophisticated external cyber attack.”
The thieves pilfered personal information of current and former health plan members and employees including names, birthdatets, medical IDs, Social Security numbers, street addresses, email addresses and employment information, including income data.
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” Swedish says. “Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join in your concern and frustration and I assure you that we are working around the clock to do everything we can to further secure your data.”
Data exposed forever
USA TODAY is reporting that the number of victims could reach as high as 80 million. These are folks whose personal information, including Social Security numbers, are now and forever in play in the cyber underground. Digital data never goes away.
While the scale of the Anthem breach is breathtaking, it should come as no surprise. Healthcare databases are easy to hack and stolen personal data is highly valued in the cyber underground. Hackers typically sell the stolen data to con artists who then use the data for a wide array of identity theft scams. And law enforcement has a difficult time keeping up.
Continuing a three-year trend, breaches in the Medical/Healthcare industry represented 43.5 percent of the breaches catalogued by the Identity Theft Resource Center in 2014 topping the business sector which accounted for 33 percent, followed by the Government/Military sector at 11.7 percent, the education sector at 7.3 percent and the financial sector at 5.5 percent.
What we all should do next is check our health plans for ties to Anthem. The company in its current form took shape in 2004 when Anthem Insurance Company bought WellPoint Health Networks.
According to Anthem’s FAQ, the subsidiaries that lost data include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
The company said it plans to contact customers whose data was stolen and offer protections and guidance. But you may not want to wait for Anthem to get its act together, says Dwayne Melancon, chief technology officer at IT security firm Tripwire.
“Individuals who are affected, or potentially affected, should freeze their credit reports immediately with the three major credit bureaus – Equifax, Transunion, and Experian – to reduce the risk that anyone can open new lines of credit in their names,” Melancon says. “This is also a good reminder that you shouldn’t use any of your personally-identifiable information as answers to your ‘secret questions’ “
Customers and employees of Anthem and its affected subsidiaries ought to also be high alert for suspicious-sounding email and phone calls purporting to be related to this breach. Scammers will be out in full force over the next few days aiming to jump on the coattails of this breach.
Any pitch that references the Anthem attack as reason to get you to divulge account data is very likely a scam. Be safe by being distrustful.
For more context see ThirdCertainty’s three-part series Healthcare data at risk:
Part 1, Jan. 5: Why medical records are easy to hack, lucrative to sell
Part 2, Jan. 7, How thieves and scammers are cashing in.
Part 3, Jan. 9: How the Internet of Things will exacerbate exposures
Guest essay: Why hospitals need to go beyond HIPAA compliance to secure data