Massive Anthem breach
more serious than
mere credit card heists
Healthcare data is secure no more.
The revelation this week that hackers stole about 80 million customer records of one of the largest health insurers has laid bare the vulnerability of vital personal data held by medical providers.
According to a widely quoted study, a stunning 90 percent of health care organizations reported at least one data breach over the past two years.
These losses are far more serious than mere credit card thefts. The data is much more permanent, easy to use for identity theft, and much more difficult to change.
It reveals the soft underbelly of massive, online healthcare databases that are difficult to protect and expose virtually everyone to devastating harm.
Huge thefts of sensitive data have become increasingly common, as we noted in our year-end post 2014: Year of the hack
But the latest revelation by giant health insurer Anthem raises the stakes to an entirely new level. It came amidst reports of an unusually high number of fraudulent tax returns being filed across the country – one way the stolen data could have been used.
An email alerting customers to the hack at Anthem sent on Feb. 4 was alarming.
“…[A]ttackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” wrote Joseph Swedish, Anthem president and CEO.
The Anthem web site announcing the data hack. Click image to enlarge.
An identical announcement was made on a hastily published company website AnthemFacts.
What was not said, however, was much more crucial. As the story unfolded, its true dimensions became clearer.
Although Anthem claimed medical histories did not appear to be compromised, many noted the company’s investigation was still fresh (the breach was discovered on Jan. 29) and conclusions about what was hacked may be premature.
But the nature of the data already stolen makes this hack much more threatening than the massive losses of credit and debit card data reported previously by firms like Target and Home Depot.
Credit card numbers and email addresses are easily canceled and replaced. Home addresses, employment data and social security numbers – commonly used to establish new accounts across the board – are not so easily changed.
This information can even be used to file a false tax return and pocket the refund.
Perhaps coincidentally, on Thursday the maker of Turbo Tax suspended filings of some tax returns after a higher than usual number of fraudulent returns was detected.
According to a press release from Intuit “the company temporarily paused transmissions upon seeing an increase in suspicious filings and attempts by criminals to use stolen identity information to file fraudulent state tax returns and claim tax refunds.”
The Anthem hack also raises the possibility that even medical records of diagnoses and treatment are vulnerable.
The New York Times story on possible copy cat hacks spurred by the Anthem attack. Click image to enlarge.
The level of concern was highlighted in The New York Times in its Feb. 6 story Data Breach at Anthem May Lead to Others.
“About 90 percent of health care organizations reported they have had at least one data breach over the last two years, according to a survey of health care providers published last year by the Ponemon Institute, a privacy and data protection research firm,” the report said.
The report added that the Anthem breach may be the precursor of others at health care organizations because of the higher value of the data held in their records.
“[S]ecurity experts warned on Friday that more attacks on health care organizations were likely because of the high value of the data on the black market,” the report said.
Officials at various government agencies did not waste time launching investigations.
In a Los Angeles Times report Feb. 6 on the official response U.S., states probe massive data breach at health insurer Anthem it was noted that this was not the first time Anthem had been hacked.
“In 2013, federal regulators pointed out computer vulnerabilities at Anthem in a breach involving information on more 600,000 customers. Anthem paid $1.7 million to resolve the matter,” the report said.
“Last year, the FBI warned healthcare companies industry-wide that their data security practices needed to be strengthened amid the growing threat of cyber attack.”
Did the warning go unheeded?
That the Anthem hack will cause a world of hurt for the victims is beyond doubt. But it raises the specter of much worse ahead. Data thieves are getting more sophisticated in choosing their targets – the new hack makes the breach of emails and corporate data at Sony look like child’s play.
Customers are left largely defenseless. Cleaning up after the hack is one recourse, but legal action is another, as reported by Bloomberg News a day after the Anthem announcement in its story Anthem Sued Over Large Data Breach by California Consumer.
Perhaps a class-action lawsuit against Anthem will wake up the health care industry to the magnitude of its problem. But is should not have come to this in the first place.
In an increasingly connected world, data security must be at the top of the agenda of those who hold the keys to so many people’s identity. We must demand no less of all with whom we entrust them.
FEEDBACK: Contact site admin directly