Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals.
Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company’s CEO Joseph Swedish in a public statement, in which he says they were the victims of a “very sophisticated external cyber attack.”
“These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” he shared, and added that, as far as they can tell for now, “no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” he noted, and promised that they will notify each of the affected customers in writing (via a letter), and provide credit monitoring and identity protection services free of charge.
The breach impacted customers of all their product lines: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. But, the final number of affected individuals is still to be determined.
The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them.
According to Madiant’s spokesman Vitor De Souza, the attackers are an “advanced group” that used custom malware, and the breach was spotted by Anthem employees within a few days after it happened.
“While Anthem claim there is no evidence that financial or medial data belonging to their customers has been exposed, the information compromised is enough for criminals to commit identity theft,” Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre, commented for Help Net Security.
“Late last year the FBI warned US Healthcare providers that criminals were targeting healthcare data as criminals can abuse the personal details of individuals to make fake medical claims, purchase drugs or medical equipment which can then be sold. Recent analysis of the cybercrime underground market places shows that medical data is worth about $10 per record, which is roughly ten times more than credit card data.”
Anthem spokeswoman Kristin Binns stated that the company has doubled its cybersecurity spending over the past four years.
“It is yet unclear who is behind the attack, but if the group behind that compromised Anthem and plans to sell that information on the black market, it means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts. They can even obtain medical care using your information,” pointed out Jaime Blasco, VP and chief scientist of AlienVault.
For more insight on what security professionals think on this breach, read out roundup.