In one of the biggest data breaches ever reported – and possibly the biggest ever – Anthem, the nation's second largest health insurer, is notifying as many as 80 million of its members that hackers penetrated its IT systems and swiped personal data.
Anthem last week discovered hackers had gained unauthorized access to its network, stealing the Social Security numbers, medical ID numbers, income data, names, addresses and birth dates of Anthem members, former members and employees – a number that could reach 80 million, according to a report in The Wall Street Journal. An initial investigation of the breach, which was detected by company officials last week, found that the cyberattack impacted all lines of Anthem Business.
The health insurer has notified the FBI and is conducting an "extensive forensic investigation to determine what members are impacted," read a company notice. To date, Anthem has not yet determined the entity or individual responsible for the attack.
"Anthem was the target of a very sophisticated external cyberattack," said Anthem President and CEO Joseph R. Swedish, in a statement. "I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure."
Kevin Johnson, chief executive officer of the security consulting firm Secure Ideas, remains unconvinced that the cyberattack was "sophisticated," as Anthem's CEO Swedish described. Johnson, a white hat hacker, has done extensive security work for insurance companies, both as a consultant as a security admin, and a lot of what he sees has nothing to do with sophistication.
"I have never found an insurance company that required a sophisticated attacking incident," said Johnson. "Period." Although he has not worked specifically with Anthem before, Johnson said insurance companies are all very similar in that they have behemoth networks and "tons of systems" that make it challenging from a security perspective. There's systems the physicians connect to; there's systems other companies need to connect to. All in all, "it's a huge conglomeration of stuff," he opined.
Anthem officials said no credit card or medical data, such as claims or diagnoses, were compromised in the data breach.
But as Johnson said, the Social Security numbers stolen are what's more significant. "I don't even care about my credit card number. I'll get another one," he said. "We're more concerned about whether or not a credit card number has been stolen…and there's such a lack of concern about my medical records, my personal data," he continued.
With that said, Anthem appeared ahead of the game in one arena. They're better than two-thirds of organizations who discover data breaches by third parties, he said. "For Anthem to say…'Hey, we saw something weird,'" he explained, "that is leaps and bounds ahead of most breaches. It's already ahead of Target. It's already ahead of Community Health."
Mac McMillan, CEO of CynergisTek, a healthcare security and compliance consulting firm, seemed to agree. In terms of how Anthem has handled the cyberattack publicly, "they are being very proactive," he said, at least based on what has been reported thus far. Nonetheless, "this should serve as yet another wake-up call for those who haven't gotten it yet," McMillan added. "Healthcare is a target."
Anthem has also been working with the HITRUST Cyber Threat Intelligence Coordination Center, or C3, since the discovering the cyberattack, according to a Feb. 4 HITRUST alert. "It was quickly determined that the (indicators of compromise, including MD5 hashes, IP addresses etc.) were not found by other organizations across the industry, and this attack was targeted at a specific organization," the HITRUST alert said. It is believed, HITRUST added, to be a targeted advanced persistent threat actor.
Anthem officials have not responded to Healthcare IT News' request for comment and additional information surrounding the cyberattack.
This story will be updated.