An Apple A Day: Anthem Health Insurance Breach Exposes 80 Million Records

As the old adage goes, an apple a day keeps the doctor away. In the case of the just announced Anthem Health Insurance data breach, an apple a day most definitely doesn’t keep the hackers away.

The Anthem breach

Anthem (formerly WellPoint) is one of the largest health insurance providers in the United States. Yesterday they disclosed a massive data breach that may have impacted up to 80 million people. As their president and CEO noted in the disclosure:

Despite our best efforts, Anthem was the target of a very sophisticated external cyber-attack.

Complete health insurance credentials sold for $20 a piece on underground markets in 2013

All the details are still being unraveled but it appears that the attackers gained unauthorized access to Anthem’s systems that store both current and former customer names, birth dates, medical IDs, social security numbers, employment information and some income data. There is currently no evidence that credit card or medical information such as test results were targeted or compromised. Attribution of the breach is always a whack-a-mole project, but it is now being reported by multiple sources that there is some evidence that points to Chinese state-sponsored hackers who are stealing personal information from healthcare companies for purposes other than pure profit. According to Dell SecureWorks, complete health insurance credentials sold for $20 a piece on underground markets in 2013, which is 10 to 20 times more than a U.S. credit card number with a security code. And stolen health insurance credentials that included dental, vision, or chiropractic plans associated with the health plan increased the value by $20.

Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

Back in 2010, WellPoint was fined $1.7 million for a data breach that impacted 612,000 people and resulted in the disclosure of personal information. The fine was levied by the United States Department of Health and Human Services (HHS) for inadequately implementing policies and procedures to protect unsecured electronic PHI (protected health information) which is covered by HIPAA compliance standards. The healthcare sector is experiencing cyberattacks at an alarming rate and is currently one of the most susceptible industries to these types of breaches. The 2014 Verizon Data Breach Report noted that the healthcare industry was behind the curve from a security standpoint, which makes these data breaches all the more likely to occur again.

Tenable can help the healthcare industry

Tenable’s continuous network monitoring solution, SecurityCenter Continuous View™ (SecurityCenter CV™), enables healthcare organizations to clearly see their infrastructure, simplify the IT environment, and better protect the business. The platform enables continuous discovery, assessment, and reporting on every component of the network against a security policy — giving healthcare organizations superior visibility into the risks to their business, so those risks can be measured and mitigated.

The healthcare industry was behind the curve from a security standpoint

Tenable enhances day-to-day security operations, helping resource-strapped healthcare organizations meet multiple compliance demands, while simultaneously strengthening defenses. SecurityCenter CV integrates with and correlates data from existing security technologies, helping security teams orchestrate, optimize, and manage their defenses more efficiently. SecurityCenter CV also offers role-based administration, reporting, built-in security analytics, and an expanding collection of dashboards. The Tenable continuous network monitoring solution delivers the insights that security operations and incident response teams need to respond faster and more effectively. Targeted dashboards, like this HIPAA Monitoring Summary Dashboard, help healthcare organizations assess vulnerabilities at a glance:

Lessons learned

This week’s breach at Anthem will likely be the largest healthcare related breach to date and the ripple effects are just now beginning to be felt. Thankfully for Anthem stockholders, shares have held steady since the news broke. There will assuredly be major expenses to make sure this doesn’t happen for a third time. But Anthem is in the business of billing doctors and collecting premiums from group plans – not cybersecurity. As long as Anthem can deal swiftly and effectively with the fallout, there’s no reason to think this will have a chilling effect on doctors and the general public. But healthcare organizations have been warned to harden their security policies and protect their data.