Anthem Security Breach 80 million Records Stolen

On February 4, 2015, America awakened to an Anthem Security breach that announced, having over 80 million members private information being stolen.  The information stolen included patient names, addresses, SSNs, insurance IDs, employer and income information all of which was not encrypted on the Anthem databases.  The medical information of its members was not affected, none-the-less it is a significant attack on critical infrastructure affecting many people.
In an email the company released stating, “Anthem Blue Cross was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information (such as claims, test results or diagnostic codes) were targeted or compromised.” (source)
“Anthem CEO Joseph Swedish portrayed the breach incident as a “very sophisticated external cyber-attack.” But not everyone is buying that explanation, based on the company’s track record.  “Call me a skeptic; I am not yet convinced that this was the result of a sophisticated attack on a high-value target,” says Holtzman, a former senior adviser at the Department of Health and Human Services’ Office for Civil Rights. “Recall that in 2013 … Wellpoint Inc. [now called Anthem]settled with OCR for $1.7 million over allegations of improper safeguards for e-PHI,” he notes. “The evidence in that incident was that over a period of more than six months, Anthem BC/BS of California allowed unauthorized access through its online health insurance application portal.”
“Rep. Lynn Westmoreland, R-Ga, Chariman of the Intelligence Committee’s NSA and Cybersecurity Subcommittee, said: “The Anthem hack show the immediate need for enhanced cybersecurity measures, for both national security purposes and to protect our citizens.”
Firestorm of Hack Attacks

Firestorm of Hack Attacks

The top 5 security breaches since Sept 2009 enforcement of the HIPAA notification rule:
1. Anthem with over 80 million with hackers gaining access to the corporate database.  No Business Associate (BA) involved. Hackers gained access to corporate database containing personal information on the health insurer’s current and former US customers and employees in February 2015.
2. Tricare with over 4.9 million patients affected.  BA involved was Science Applications International Corp. Backup tapes for the military health program were stolen from an SAIC employee’s car.  The employee was responsible for transporting the tapes between federal facilities in September 2011.
3. Community Health Systems CHS with 4.5 million patients affected.  BA involved: none.  Hackers are believed to be an “advanced persistent threat group originating from China” used malware to attack the hospital chain’s systems according (source) in April 2014. The real story is that the hospital system had not fixed the “heart bleed bug” that compromised SSL encrypted transmissions, according to other sources.
4. Advocate Medical Group with 4.03 million patients affected.  BA involved: none. Four unencrypted computers contained patient information used by Advocate for administrative purposes in July 2013.
5. Texas Health & Human Services Commission with 2 million patients affected. BA involved: Xerox.  The breach arose from a legal dispute between the state and its former contractor, Xerox.  When the state ended its contract with Xerox, the vendor allegedly failed to turn over to the state computer equipment, as well as paper records in August 2014.
As you can see the breach of the Anthem databases and others relied on data that was not encrypted.  Hard drives, tape drives and any memory device which has patient information must be encrypted as per security standards including HIPAA and NIST Cybersecurity Framework (which will be mandatory for all critical infrastructures including healthcare).

Put out the fire!

Put out the fire!

A focus on enhancing security measures for patient data across networks and on memory systems must be implemented.  According to a healthcare information security survey “less than 50 percent of organizations currently apply encryption to all mobile devices and storage media including backup tapes”.
Comments Are Closed