The massive cyberattack against Anthem, the nation's second-largest health insurer, exposes a growing cyberthreat facing health care companies that experts say often are unprepared for large attacks.
Hackers gained access to the private data of 80 million former and current members and employees of Anthem in one of the largest medical-related cyberattacks in history.
Authorities said the attack, discovered late last month and disclosed this week, did not involve private health records or credit card numbers, but it did expose Social Security numbers, income data, birthdays, and street and e-mail addresses.
Investigators suspect Chinese hackers might be responsible for the breach, according to an individual briefed on some aspects of the probe. There are also some indications that other health-care companies might have been targeted, said the individual, who spoke on the condition of anonymity to discuss the ongoing investigation.
Security experts said health care has become one of the ripest targets for hackers because of its vast stores of lucrative financial and medical information.
Health insurers and hospitals, they added, have struggled to mount the kinds of defenses used in large financial or retail companies, leaving key medical information vulnerable to attack.
While medical records, such as treatment details or test results, were not compromised in what Anthem called "a very sophisticated attack," experts say the breach underlines the worrying potential for attackers to steal private health data valued on the black market as tools for extortion, fraud or identity theft.
Medical information could be exploited, for example, to file false insurance claims and buy prescription drugs, and attackers could extort cash from policyholders desperate to keep their private medical data under wraps.
"Health-care records are the new credit cards," said Ben Johnson, chief security strategist at cybersecurity firm Bit9 + Carbon Black. "If someone gets your credit card number, you cancel it. If you have HIV, and that gets out, there's no getting that back."
1 in 9 Americans
Anthem, formerly known as WellPoint, covers one in nine Americans through its affiliate health plans, including under the Blue Cross Blue Shield brands. In Colorado, Anthem held the second-largest market share for health insurers in 2013, the latest year for which data were available.
The breach has "definite potential to be the largest" hack of a health-care organization, although it is too early in the investigation to say definitively, said Vitor De Souza, a spokesman for FireEye, which owns the company now helping with Anthem's security.
The data breach could affect individual policyholders as well as those enrolled in managed-care plans through Medicaid.
Anthem's chief executive, Joseph Swedish, was among those to have their personal data exposed. Anthem said it will notify current and former members whose information was breached, as well as provide free credit- monitoring and identity-protection services.
Once Anthem discovered the data breach Jan. 29, company officials contacted the FBI and retained Mandiant, a cybersecurity firm, to investigate the attack and review the insurer's defenses. The FBI said it is investigating the breach, which was first reported Thursday by The Wall Street Journal.
Lucrative data
Hackers were able to grab some of what experts called the most lucrative and damaging types of stolen personal data. Social Security numbers are an attractive target because they are tough to change and crucial to government, financial and medical use.
A set of complete health insurance credentials sold for $20 on underground markets in 2013 — 10 to 20 times more than a U.S. credit card number with a security code, according to Dell SecureWorks.
Medical information includes key identifying details that could be used to create a "fake patient" that could fraudulently bill programs such as Medicaid, experts said.
"What we've seen in the last few years is that attackers have realized the economics of health-care data are very, very attractive," said Lee Weiner, senior vice president at cybersecurity firm Rapid7.
The link to Chinese hackers, which was first reported by Bloomberg News, means the attack could be part of a larger campaign, experts say.
Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, said he has seen Chinese government hackers target health-care providers and insurance companies in the past six months for Social Security numbers and personal identifying information as well as health-care information.
"China sucks up as much information as possible on a variety of people that could come in handy later," he said, adding that CrowdStrike does not have information on the Anthem hack.
China has also been implicated in hacks on USIS, a major U.S. contractor that conducts background checks for the Department of Homeland Security. The Chinese also have targeted state motor vehicle departments and other agencies with large databases, Alperovitch said.
That employee data was stolen in the Anthem hack could indicate that hackers might be preparing for another attack, which would allow them to access internal systems that they were otherwise unable to reach, said Tom DeSot, an executive at cybersecurity firm Digital Defense.
Anthem has come under fire in the past for weak security. The insurer agreed in 2013 to pay $1.7 million to resolve federal claims that poor internal safeguards left personal information, including Social Security numbers and health data, from more than 600,000 people available online.
What got hacked?
Health insurer Anthem said late Wednesday that hackers broke into a database of information on 80 million people, in an attack the company discovered last week. The Blue Cross Blue Shield insurer said the hackers gained access to names, birthdates, e-mail addresses, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past. The insurer, which covers more than 37 million people, said credit card information wasn't compromised.
If your data are stolen
Notify the credit agencies (Equifax, Experian, TransUnion) and request a 90-day credit alert. You might consider asking the agencies to place a full freeze on your credit.
Check your credit-card bill for irregularities, and don't overlook small charges.
If someone does steal your identity, contact the credit issuer to dispute fraudulent charges; ask the reporting agencies to remove bogus accounts from your record, and submit a report through the FTC website.
The Associated Press
No comments:
Post a Comment