On Friday, Anthem, Inc. announced that identity thieves had gained unauthorized access to its computer network and stole the sensitive personal information of patients and staff. Joseph R. Swedish, the President and CEO, stated in a letter to its members that the data elements compromised included personal information about:
"... current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data... Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
Affected patients included the following health care plans: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and Unicare. BlueCard members were also affected. While the Anthem breach notice did not mention 80 million affected patients, several news sources mentioned that statistics, including the Los Angeles Times and Forbes.
Anthem said it took steps to fix and close the data breach. It contacted the Federal Bureau of Investigation (FBI), and hired Mandiant, a respectable computer security firm, to evaluate its computer systems, networks, and data security processes. The health care provider launched the Anthem Facts website to keep members informed about the data breach and answer many questions. The site includes Mr. Swedish's breach notification letter. Members with questions can call the health care provider at 1-877-263-7995.
This is a massive data breach. Nor is it good news for several reasons. First, the data elements stolen are sufficient to allow criminals to commit financial fraud using the victims' identities. To the good, Anthem stated it wiil contact affected members and provide free credit monitoring services. However, the health care company's announcement did not state the number of years of complimentary credit monitoring services. Many companies provide one or two years, even though the stolen information retains value for a far longer period.
Second, since e-mail addresses and names were stolen, it means that breach victims are at risk of receiving e-mail spam and phishing attacks as the hackers resell the stolen data to other criminals worldwide. The FAQ page in the Anthem Facts site acknowledged this risk and advised members to:
"... be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.DO NOT click on any links in email. DO NOT reply to the email or reach out to the senders in any way. DO NOT supply any information on the website that may open, If you have clicked on a link in email. DO NOT open any attachments that arrive with email."
Anthem also confirmed this in several tweets:
Opening e-mail attachments from unknown persons can spawn computer viruses and malware on your desktop, laptop, tablet, or smart phone. So, it is wise to learn how to spot phishing e-mails. There is plenty of information in this blog.
Third, security experts are concerned that Anthem applied data encryption only to information during transit and not will it was "at rest" and stored in databases. Forbes reported:
"Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information... The Health Insurance Portability and Accountability Act, known more commonly under its acronym “HIPAA,” doesn’t require health care companies to encrypt such data."
Fourth, it is good that Anthem has hired a reputable, skilled computer security firm to help it understand exactly how the breach occurred and then apply the necessary fixes. After studying several breaches and companies' post-breach actions during the 7+ years I've written this blog, I've noticed that post-breach fixes don't happen quickly. The breach investigation takes time. Hence, you see in the announcement cautious words, such as "Based upon what we know now." The fixes often include a mixture of technical solutions and staff training. During the coming months we will see how transparent Anthem will be with sharing data about the breach and the fixes it applies to its networks, computers, and staff training.
The fact is: there is nothing to stop criminals from repeatedly attacking the company's networks. Hopefully, Anthem will implement fixes fast enough and sufficient enough to both identify and thwart future attacks.
Fifth and perhaps more troubling is the history of data breaches at Anthem. Anthem, Inc. was formed in 2004 with the merger of Anthem and WellPoint Health Networks. The company changed its name from WellPoint to Anthem in 2014. A March 2008 WellPoint breach affected 130,000 patients and a 2006 breach affected about 200,000 patients when backup computer tapes were stolen from a vendor.
In 2011, Wellpoint settled data security allegations with the State of Indiana Attorney General after a data breach during 2009-10 affected 32,000 Indiana residents. A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide. Wellpoint made a $100,000 payment to the state.
In 2013, WellPoint paid $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules:
"The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule."
Sixth, In its breach notice, Mr. Swedish said:
"Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data... I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."
The health care company's history suggests otherwise. Safeguarding patients' data may not be a top priority. An apology is nice, but actions speak louder than words. In 2012, Anthem settled a lawsuit with the Office of the California Attorney General. Terms of the settlement included a $150,000 payment, technical fixes to its computer networks, restricting access only to certain employees, and data-security training of all employees. Anthem allegedly printed Social Security numbers on letters it mailed to more than 33,000 persons from April 2011 and March 2012; a clear privacy and data security no-no. The lawsuit claimed that this practice violated state law prohibiting the disclosure of Social Security numbers. After that 2012 breach, Anthem offered affected members one year of free credit monitoring services.
The latest data security lapse at Anthem/WellPoint causes one to wonder if data security is truly a top priority, if the state-of-the-art systems Mr. Swedish described have truly kept pace with Internet and software developments, and if adequate employee training about data security stopped after terms of the 2012 settlement were fulfilled.
While writing this blog, I have learned that identity criminals are both creative and persistent. The "bad guys" possess the same computer skills and equipment as the "good guys." In my opinion, repeated security lapses will stop only when company executives go to prison. Fines are not enough.
What are your opinions of the Anthem breach? Of the company's statements and actions so far? If you receive a breach notice from Anthem, please share details (but exclude any information that would further compromise the security of your personal information).