HACKING GOTCH YA?
On February 4, Anthem Inc., the second-largest health insurer in the United States, announced it had suffered one of the largest data breaches in history. Hackers stole personal information—including social security numbers, birthdays, employment information, and income data—belonging to an estimated 78.8 million victims.
The lawyers moved almost as fast as the hackers. The first class-action suits began on February 5, 2015—the day after Anthem’s announcement. Anthem now faces over 40 lawsuits as a result of the breach. Many of the court documents filed are publicly available. The plaintiffs will need to prove the claims made in the documents, but the lawsuits still provide valuable lessons about data security.
According to the company, unauthorized queries of its database began on December 10, 2014, and were discovered on January 27, 2015. Exactly how the attackers breached security is not known. The attackers’ identities are also unknown, but the malicious software used in the attack matches software known to be used by Chinese hackers, according to the Washington Post.
No medical information or credit card data were compromised, but the stolen data is arguably more valuable. As cybersecurity expert Avivah Litan told CNN, personal information is “worth more than a credit card. There’s all kind[s] of damage that can happen … Someone could take over my Amazon account. They could call the call center and take money out of my 401(k). They could file a tax refund in my name. And all those things are really hard to recover from.”
Anthem customers are now being hit with phishing scams, with fake emails purporting to be from Anthem being used to deceive customers into handing over still more sensitive information.
The class actions assert that Anthem did not do enough to protect customers’ data. More details are still to come, but lawyers are already pointing to Anthem’s failure to encrypt any of its data while it was being stored. A Maine lawsuit claims that encryption would have left the hackers with “electronic gibberish” instead of valuable data.
A problem for Anthem is the fact that the risk of data breaches in healthcare were well known and widely publicized. Anthem was fined $1.7 million by the federal government for a 2010 data breach, and settled a smaller case with the California Attorney-General. Numerous studies cited in an Indiana class action found that the risk of data theft in healthcare was serious, and the FBI took the step of warning the entire industry of the danger in 2014.
The same Indiana lawsuit alleges that the healthcare industry underspends on information technology, claiming that IT is often just 2-3% of the operating budget, where retail and financial businesses spend more than 20%.
Anthem is also being criticized for the time it took to discover the breach and notify customers.
The first and biggest lesson for business is to take security warnings very seriously. If your business is publicly known to be a tempting or vulnerable target, you can expect hackers to be aware of that fact.
Second, businesses should seriously consider encrypting sensitive data, not just when it is moved in and out of a database—which Anthem did—but when stored. While encryption can slow down day-to-day operations, which no company wants, that issue now has to be weighed carefully against the very real risk of hacking. “Encryption is your best defense” against these kinds of attacks, according to the Department of Health and Human Services’ Office of Civil Rights.
Third, the cost of cybersecurity has to be set against the cost of a data breach. This hack may cost Anthem over $100 million—more than the limit of its cyberinsurance policy.
Finally, the attack is a reminder of the importance of internal vigilance. Unusually in these cases, an Anthem employee discovered the hack—more often, fraudulent transactions alert financial institutions to the problem before the compromised business finds it. Without that discovery, the attack might have been even worse.