US health insurer Anthem Inc. announced on February 4, 2015, that it was the victim of a sophisticated cyber attack resulting in the theft of tens of millions of records. Hackers were able to break into a database that contained as many as 80 million records. These records contained personal information about current and former customers, as well as staff members. Even CEO Joseph Swedish’s data was stolen.
This attack is one of the largest of all time, and the most significant within the healthcare industry. It affects several of Anthem’s subsidiaries and brands, including Anthem Blue Cross and Blue Shield, Empire Blue Cross and Blue Shield, Amerigroup, Healthlink, and Caremore.
According to Anthem’s website, its affiliated companies serve nearly 69 million people. The company is the second largest health insurer in the US; one out of every nine Americans has healthcare coverage through one of Anthem’s affiliated plans.
The Federal Bureau of Investigation is investigating the attack, which Anthem said was detected on January 29. In addition to informing the FBI, the company has also hired the cyber security firm Mandiant to assist in the investigation, evaluate the company’s computer system, and fix any other vulnerabilities.
The hackers stole a large amount of information that can be used to identify, contact, and/or find Anthem’s customers, as well as the company’s former and current employees. The legal term for this type of information is personally identifiable information (PII). Among other things, PII includes names, birthdates, physical addresses, and Social Security numbers.
Anthem stated that the hackers had "obtained personal information from [its] current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses, and employment information, including income data." The company stressed that there was no evidence to suggest that credit card or medical information was taken. However, even without credit card numbers, hackers can still do a huge amount of damage with the stolen information.
PII can be used to commit a number of crimes, including fraud and identity theft. Among other things, hackers can use the information to steal tax refunds, break into bank accounts, open new credit cards in the names of their victims, secure loans in the names of their victims, file fraudulent claims with health insurers, and receive medical treatment through the use of a stolen identity.
The severity of these crimes has made the loss of such information far more dangerous than the loss of a credit card number. The theft of a credit card number can be fixed by canceling the card. Identity theft, however, creates problems that last a lifetime. According to a cyber security professional quoted by Reuters, the black market value of stolen health credentials is 10 to 20 times higher than that of stolen credit card numbers.
Hackers are already using the Anthem breach as part of new efforts to steal information. These hackers, who are not believed to be the same ones who broke into Anthem’s database, are claiming to be representatives of Anthem and are sending out email messages with links to websites that ask for personal data. This is a good example of phishing, a hacking technique in which attackers try to trick their targets into revealing personal information. Hackers can make a lot of money from phishing, even if only a small percentage of recipients fall for the scam.
Anthem isn’t the only corporation to suffer from a recent cyber attack. In 2014, hackers stole large amounts of data from several major organizations, including Home Depot, Staples, JP Morgan Chase, Sony, Community Health Services, and the US Postal Service. These incidents show that blindly following the reactive security practices of larger organizations can lead to trouble. Instead, small companies must take a proactive approach to cyber security.
A key component in developing a proactive cyber security approach is education. Companies should learn about hacking techniques such as phishing, as well as how to spot fake emails and text messages. Most importantly, they should develop strong relationships with their IT service providers.
IT service providers specialize in protecting companies from a variety of attacks. Many providers have earned data protection certifications and produce periodic reports proving that they comply with data security requirements. They can also provide insight into data backup, disaster recovery, encryption, user authentication, and more.
A good disaster recovery program is especially important in light of the recent high-profile breaches. IT service providers can educate companies on the steps they should take to protect themselves and recover from these types of attacks. They can also suggest ways to strengthen or improve user authentication for local and remote access. User authentication methods such as multi-factor authentication can help prevent unauthorized access to an account, even if the unauthorized user has stolen information that could help them break into the account.
A qualified IT specialist can help you find out about today’s threats to your company. Contact us to learn about the best ways to keep your data safe.
About CHIPS Computer Services
CHIPS Computer Services is an award winning Managed Services Provider specializing in help businesses increase efficiencies and profits by levering properly managed technology. To learn how CHIPS can help your business, email us at email@example.com to schedule no cost business assessment.