Anthem Breach – Sophisticated Heist vs. Sloppy Security

A massive data security breach takes place. Investigators point fingers at state-sponsored perpetrators from either China or North Korea. Flurry of accusations and the resultant denials ensue. Before the aura surrounding a breach fades, another is reported, often eclipsing the one before. Enterprises pay fines after completion of investigation. Things move on.

Is the world of modern business so unassuming? Definitely not. The outer layer of business as usual hides the inner tides. The increasingly informed customer turns away. Businesses pay irreversibly damaging price – both reputational and financial. In what could be the largest data breach in the transformation-seeking US healthcare industry, Anthem Inc., – one of the country’s top two health insurers – confirmed its systems were compromised, jeopardizing sensitive information of about 80 million customers and employees, both existing and former.

Sophistication in a Booming Business

Healthcare data theft is a booming business and persistently high impact breaches continue to ensure that the industry is in adequate supply. Also, cyber-thieves now are highly specialized and use evolved attack methodologies with unprecedented precision to hack others’ networks and systems. And Anthem became the health care target for hackers, who are increasingly targeting health care records.

In a report Dell SecureWorks detailed that in underground markets health insurance credentials are sold $20 each with an additional $20 for the associated dental, vision, or chiropractic plan information. US credit card information with security code, on the other hand, is priced at $1-$2! The Associated Press said in a report that 2014 saw more than 10 million US people affected by health care data breaches. “That was the worst year for health care hacking since 2011.” Menacingly, the “very sophisticated external cyberattack” involving Anthem at the beginning of the year could make 2015 easily eclipse the previous year in terms of notoriety.

Sloppiness, Sustained

The latest breach dwarfs the 4.8 million 2014 Community Hospital Systems and the 4.9 million 2011 Tricare data theft – the two largest breaches in the US health care industry. Strikingly, Anthem was fined $1.7 million for a 2010 electronic protected health information (ePHI) and credit card breach which exposed data of more than 610,000 customers. Unlike the 2010 heist, credit card details and personal medical information are claimed to be safe this time around. However, the magnitude of the thievery – that included income data, e-mail addresses, medical IDs and Social Security numbers – will make sure fraudsters have more than required information to harm customers for a long time to come.

The Indianapolis-based insurer is now doing what it can do best post a risk event – trying to reach out as a victim, set up helpline and website for people to seek assistance. It’s been prompt to “close the security vulnerability,” cooperate with authorities and join irate sufferers in their “concern and frustration.” According to its chief information officer Thomas Miller, Anthem is giving “general direction” to the affected and had reportedly placed extensive security plans in place to protect its data, including doubling the money spent on cyber-security in addition to employing nearly 200 security specialists.

However, the exposed vulnerability of the overall security posture and endeavors to tame the tumultuous tide with damage control measures point towards failure in bridging the gap between commitment and execution. Attorneys “around the country are unhappy with the lack of communication” from the health insurer, said Connecticut Attorney General George Jepsen, adding his office “has been flooded with phone calls from concerned Connecticut residents who are frustrated with the lack of information.”

You’d have expected the insurance giant to exercise uncompromising security in the wake of the increased cyber hacks, and more so after being caught off-guard in 2010. However, turns out Anthem didn’t encrypt the stolen stored data, found The Wall Street Journal. Presumably, because insurance firms in the US aren’t required to. And it could turn out to be a target of long-lasting lambast that Anthem preferred the temporary convenience offered by sloppy practices and obliged by law by shunning proactiveness, all at its own and its customers’ peril.

“As far as China being involved, I don’t know,” FBI spokesman Paul Bresson told Reuters. “I don’t think we know yet. Our investigation is ongoing.”

But we think you know, like in so many other instances, we may never have the answers conclusively enough.