The Anthem breach continues to generate news. Just yesterday, NBC News reported that “millions of American children had their social security numbers, date of birth and health care ID numbers numbers stolen in the recent data breach at health insurance giant, Anthem Inc.”
All this despite Anthem reporting that they doubled their investment in security over the last four years. The company also believes it was compliant with all HIPAA/HITECH requirements at the time of the breach. However, it did not encrypt personally identifiable information (PII) while stored in its databases, nor was it required to do so by either HIPAA or Gramm-Leach-Bliley Act (GLBA). Encrypting PII while at rest is now considered a best practice by many experts. At the time of the breach, Anthem was considering encrypting its internal database as well as taking other steps to improve its security. Anthem says the medical information and financial data was not compromised. Anthem has offered free credit monitoring in the wake of the breach.
Anthem discovered the breach “when one of their senior administrators noticed someone was using his identity to request information from the database.” This is a positive indicator for Anthem’s security program. In most of the highly publicized breaches of the past two years companies have not detected the breach. Instead the breached companies have been informed by third parties including law enforcement, customers, and the criminals themselves.
Once Anthem discovered the breach it was very proactive in reaching out to law enforcement and bringing in third party computer forensic experts. Anthem fist discovered the suspicious activity on January 27, 2015. Anthem publically disclosed the breach on Wednesday, February 4, 2014. The public disclosure was made only eight days after the detection. HIPPA requires that companies make a disclosure within 60 days of first detecting the breach.
Unfortunately, recent article by Brian Krebs suggests that the breach may have started in April of 2014. This information is more aligned with one of the findings from Verizon’s 2014 Data Breach Investigations Report, which states that the gap between the time of a breach and the discovery of a breach is growing over time.
Some Anthem customers are experiencing an unfortunate secondary effect of the breach. Additional cyber criminals are attempting to prey on Anthem customers using phishing attacks. Anthem has attempted to address this in its FAQ which includes a warning that states, “Members who may have been impacted by the cyber attack against Anthem, should be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from Anthem and the emails include a “click here” link for credit monitoring. These emails are NOT from Anthem.” It warns members:
- DO NOT click on any links in email.
- DO NOT reply to the email or reach out to the senders in any way.
- DO NOT supply any information on the website that may open, If you have clicked on a link in email.
- DO NOT open any attachments that arrive with email.
In summary, despite apparent compliance with HIPPA and GLBA, Anthem was breached. Unlike many other companies it detected the breach on its own. It immediately brought in law enforcement and an expert third party computer forensics team to investigate, while at the same time stopping the exfiltration of any additional data. It then made a public disclosure of the breach, far quicker than the requirements mandated by HIPPA.
Anthem has further tried to warn current and former customers to be wary of email phishing attacks via media outlets and is informing current and former customers about details via its FAQ page at http://www.anthemfacts.com/faq.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.