Anthem, one of the nation’s largest health insurers, announced last Wednesday that it had been attacked by cyber hackers and that personal information for as many as 80 million individuals had been compromised.
Cyber attacks and data breaches are now commonplace. Hackers and cyber criminals are developing new methods of attack at unprecedented speeds. Although they may seem unstoppable, they are not. Nor can we let them become so. Every breach, every bit of data accessed illegally, is another opportunity for us to take note and learn.
Anthem has asserted that credit card information was not taken, distinguishing its situation from that of retailers such as Target and Home Depot. The information that Anthem’s hackers did access, however, included birthdates, addresses, email addresses, employment and income information, medical identification numbers, and Social Security Numbers. Having this combination of information about an individual is actually significantly more valuable on the black market than just credit card details. This collection of information in the wrong hands creates the potential for mass false insurance claims and identity theft.
The Anthem attack was external and sophisticated. While some commentators and industry experts are pointing fingers at China, which presents a whole other slew of issues and concerns, the basic fact is that the health insurer fell victim to hackers who accessed its networks through the log-in credentials of an Anthem employee. That employee detected the unauthorized access when he was routinely monitoring the system days before the public announcement.
Executives were notified and involved immediately. Anthem reported the incident to the FBI. Anthem’s CEO issued a public statement six days after the initial detection. Joshua Campbell, an FBI spokesman, said, “Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”
Although the FBI has been singing Anthem’s praises for its prompt response, its customers were not comforted. The day after CEO Joseph Swedish issued the public announcement, two class actions were filed in federal courts, alleging, in part, that Anthem unreasonably delayed informing customers and failed to protect customers’ information and properly encrypt data. Customers also assert that Anthem’s initial statement left too many questions unanswered. One plaintiff’s counsel accused Anthem of being “evasive” in its remarks and responses. The two class actions are only the beginning of what will certainly be years of litigation fallout.
The Anthem breach has also brought to light specific concerns about the health care industry. Security specialists have commented that the health care world is not up to speed in protecting sensitive personal information and that it lags behind other industries such as financial services. Some specialists have indicated that because of the health industry’s failure to keep abreast of security concerns and protections, a large-scale, devastating breach was only a matter of time.
Anthem’s data was allegedly vulnerable to the attack because the information in the company’s internal databases was not adequately protected and was not as protected as medical information Anthem sent or shared with doctors, hospitals, and others outside of its own system. This is not the first breach impacting a health care company, but this single breach impacting 80 million people is larger than all health care industry breaches combined over the past five years.
Anthem may be the first health care victim of a blockbuster breach, but it will likely not be the last if industry participants do not put appropriate measures in place. The key is recognizing that no company can count on being safe. It is not just retailers or banks that need protection—it’s everyone. And every company, regardless of its industry, must strive to use the most up-to-date security and protection measures available. There is no doubt that hackers and cyber criminals are doing everything in their power to stay ahead of the curve.