Anthem medical data breach explained
The Anthem medical data breach was a medical data breach of information held by Elevance Health, known at that time as Anthem Inc.
On February 4, 2015, Anthem, Inc. disclosed that criminal hackers had broken into its servers and had potentially stolen over 37.5 million records that contain personally identifiable information from its servers.[1] On February 24, 2015 Anthem raised the number to 78.8 million people whose personal information had been affected. [2] According to Anthem, Inc., the data breach extended into multiple brands Anthem, Inc. uses to market its healthcare plans, including, Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare.[3] Healthlink says that it was also a victim.[4] Anthem says users' medical information and financial data were not compromised. Anthem has offered free credit monitoring in the wake of the breach.[5] Michael Daniel, chief adviser on cybersecurity for President Barack Obama, said he would be changing his own password.[6] According to The New York Times, about 80 million company records were hacked, and there is a fear that the stolen data will be used for identity theft. [7] The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.[8] [9]
Theft of the data
The data was stolen over a period of weeks the month before the data breach was discovered.[10]
Because no medical information was compromised, Anthem was not required by law to encrypt the data.[11] However, Anthem faced several civil class-action lawsuits, which were settled in 2017 at a cost of $115 million. Anthem did not admit any wrongdoing in the settlement.[12] Data from the attack is expected to be sold on the black market.[13]
Impact
Persons whose data was stolen could have resulting problems about identity theft for the rest of their lives.[14] Anthem had a million insurance policy for cyber problems from American International Group.[15] One report suggested that all of this money could be consumed by the process of notifying customers of the breach.[15]
Responses
Anthem hired Mandiant, a cybersecurity firm, to review their security systems and advised people whose data was stolen to monitor their accounts and remain vigilant.[16] [17]
The theft of the data raised fears generally about the theft of medical information.[18] [19] A writer from Harvard Law School suggested that this data breach might spark reform of security practices and government data safety regulation.[20]
An investigation conducted by several state insurance commissioners blames the breach on an attacker whose identity was withheld, and claims that the breach was likely ordered by a foreign government whose name was withheld.[21] It also concluded that Anthem had taken reasonable measures to protect its data before the breach and that its remediation plan was effective at shutting down the breach once it was discovered.[21] It also marks the starting date of the breach as February 18, 2014.[21] The lead investigator was the Indiana Department of Insurance (DOI) -- Anthem's principal regulator, because Anthem is headquartered in Indiana.[22] The Indiana DOI hired independent auditors to conduct a security assessment at Anthem, which concluded, "While deficiencies within Anthem’s cybersecurity posture were noted by the Examination Team, these deficiencies were not, in our experience, uncommon to companies comparable to Anthem in size and scope. While the pre-breach deficiencies impacted Anthem’s ability to reduce the likelihood of and quickly detect the Data Breach, the controls implemented subsequent to the Data Breach should improve Anthem’s ability to detect future breaches and enable Anthem to respond more effectively to a future attack than was the case in this instance."[22]
Federal regulators also conducted an investigation of the Anthem data breach, resulting in a $16 million settlement between Anthem and the Department of Health and Human Services (HHS) -- by far the largest HHS data breach settlement.[23] An HHS Director overseeing the investigation said, "The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history. Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information."[23] The HHS settlement also required Anthem to perform a risk assessment and correct any identified deficiencies in its cybersecurity, with HHS oversight of Anthem's progress.[23]
Approximately 100 private class action lawsuits were filed against Anthem over the data breach and consolidated in California federal court, in front of Judge Koh, a respected authority in data breach litigation.[24] After contested briefing over who should lead the litigation efforts, Judge Koh appoints Eve Cervantez of Altshuler Berzon and Andy Friedman of Cohen Milstein as co-lead counsel, and appointed Eric Gibbs of Gibbs Law Group and Michael Sobel of Lieff Cabraser to head a Plaintiffs' Steering Committee.[25] In 2017, Anthem agreed to settle the litigation for $115 million, the largest ever data breach settlement at the time.[26] The attorneys requested $38 million in fees for their work on the case, but Judge Koh slashed the fee request, finding that only $31 million in fees were merited.[27]
External links
Notes and References
- News: Insurance giant Anthem hit by massive data breach . Charles . Riley . CNN Money . 4 February 2015 . 20 February 2015 . 19 February 2015 . https://web.archive.org/web/20150219062231/http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security . live .
- News: Anthem: Hacked Database Included 78.8 Million People . Anna . Mathews . . 24 February 2015 . 4 May 2020 . subscription . . 26 July 2020 . https://web.archive.org/web/20200726054027/https://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364 . live .
- Web site: Data Breach at Health Insurer Anthem Could Impact Millions — Krebs on Security. KrebsOnSecurity. 5 February 2015 . 2015-02-21. 2021-05-16. https://web.archive.org/web/20210516000920/https://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions/. live.
- Web site: Healthlink homepage. healthlink.com. 10 February 2015. Center of page; even the Anthem page doesn't reference Healthlink.. 15 February 2015. https://web.archive.org/web/20150215230526/https://www.healthlink.com/. live.
- Web site: Pepitone. Julianne. Anthem Hack: Credit Monitoring Won't Catch Medical Identity Theft. NBC News. 5 February 2015 . 5 February 2015. 5 February 2015. https://web.archive.org/web/20150205235106/http://www.nbcnews.com/tech/security/anthem-hack-credit-monitoring-wont-catch-medical-identity-theft-n300836. live.
- News: Chinese State-Sponsored Hackers Suspected in Anthem Attack. Michael A Riley. Bloomberg.com. 5 February 2015. subscription. 2017-03-05. 2017-02-25. https://web.archive.org/web/20170225221806/https://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored-hackers-seen-in-anthem-attack. live.
- News: Anthem Hacking Points to Security Vulnerability of Health Care Industry . The New York Times . Reed . Abelson . Matthew . Goldstein . 5 February 2015 . subscription . 1 March 2017 . 7 August 2019 . https://web.archive.org/web/20190807204250/https://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html . live .
- News: Massive breach at health care company Anthem Inc. . Elizabeth . Weise . . 5 February 2015 . . . 0734-7456 . 20 February 2015 . 21 February 2015 . https://web.archive.org/web/20150221145308/http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/ . live .
- News: Health Insurer Anthem Hit by Hackers - WSJ . Anna . Mathews . Danny . Yadron . . 4 February 2015 . 20 February 2015 . subscription . . 18 February 2015 . https://web.archive.org/web/20150218064804/http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720 . live .
- Health Insurer Anthem Is Hacked, Exposing Millions of Patients' Data . Kim . Zetter . Wired . 5 February 2015 . 20 February 2015 . 21 February 2015 . https://web.archive.org/web/20150221154407/http://www.wired.com/2015/02/breach-health-insurer-exposes-sensitive-data-millions-patients . live .
- News: Anthem's stolen customer data not encrypted . Lance . Whitney . CNET . 6 February 2015 . 20 March 2015 . 13 March 2015 . https://web.archive.org/web/20150313022844/http://www.cnet.com/news/anthems-hacked-customer-data-was-not-encrypted/ . live .
- News: Anthem settles a security breach lawsuit affecting 80M . Liz . Freeman . USA Today . 26 June 2017 . 20 November 2017 . . 1 December 2017 . https://web.archive.org/web/20171201175633/https://www.usatoday.com/story/money/business/2017/06/26/anthem-settles-security-breach-lawsuit-affecting-80m/103217152/ . live .
- Web site: Why hackers are targeting the medical sector . Tom . Murphy . Brandon . Bailey . Boston Globe . Associated Press . 6 February 2015 . 20 February 2015 . 22 February 2015 . https://web.archive.org/web/20150222122411/http://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting-medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html . live .
- News: Anthem data breach could be 'lifelong battle' for customers . Shari . Rudavsky . IndyStar . 7 February 2015 . 20 February 2015 . 13 March 2015 . https://web.archive.org/web/20150313115013/http://www.indystar.com/story/news/2015/02/05/anthem-data-breach-lifelong-battle-customers/22953623/ . live .
- News: Anthem data breach cost likely to smash $100 million barrier . Charlie . Osborne . . 12 February 2015 . 20 February 2015 . 15 February 2015 . https://web.archive.org/web/20150215183955/http://www.zdnet.com/article/anthem-data-breach-cost-likely-to-smash-100-million-barrier/ . live .
- Web site: Anthem Breach: What Should I Do Right Now? . Ben . Popken . Kelli . Grant . NBC News . 6 February 2015 . 20 February 2015 . 20 February 2015 . https://web.archive.org/web/20150220050314/http://www.nbcnews.com/business/consumer/anthem-breach-what-should-i-do-right-now-n300796 . live .
- News: Health Insurer Anthem Struck By Massive Data Breach . Gregory S. . McNeal . Forbes . 4 February 2015 . 20 February 2015 . 7 February 2015 . https://web.archive.org/web/20150207105537/http://www.forbes.com/sites/gregorymcneal/2015/02/04/massive-data-breach-at-health-insurer-anthem-reveals-social-security-numbers-and-more/ . live .
- News: Anthem hack raises fears about medical data . Chad . Terhune . . 5 February 2015 . . 0458-3035 . 20 February 2015 . 2 March 2015 . https://web.archive.org/web/20150302055644/http://www.latimes.com/business/la-fi-anthem-hack-fallout-20150206-story.html . live .
- News: Data Breach at Anthem May Forecast a Trend . Reed . Abelson . Julie . Creswellfeb . . 6 February 2015 . . 0362-4331 . 20 February 2015 . subscription . 9 February 2015 . https://web.archive.org/web/20150209094501/http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html . live .
- Web site: Time for a Healthcare Data Breach Review? . Nicholas . Terry . Bill of Health . . 7 February 2015 . 20 February 2015 . 16 May 2020 . https://web.archive.org/web/20200516081352/https://blog.petrieflom.law.harvard.edu/2015/02/07/time-for-a-healthcare-data-breach-review/ . live .
- . Investigation of major Anthem cyber breach reveals foreign nation behind breach . . . 2017-01-17 . 2017-02-16 . 2017-02-17 . https://web.archive.org/web/20170217223340/http://www.insurance.ca.gov/0400-news/0100-press-releases/2017/release001-17.cfm . live .
- Web site: Multistate Targeted Market Conduct and Financial Examination of Anthem Insurance Companies . National Association of Insurance Commissioners . 8 February 2019 . naic . 2019-02-17 . https://web.archive.org/web/20190217104922/http://www.insurance.ca.gov/0400-news/0100-press-releases/2016/upload/Anthem-Examination-Report-AM-2016-12-01.pdf . live .
- Web site: Telchert . Erica . Anthem to pay $16M in record data breach settlement . 16 October 2018 . Modern Healthcare . 8 February 2019 . telchert . 23 March 2023 . https://web.archive.org/web/20230323200621/https://www.modernhealthcare.com/article/20181016/NEWS/181019927/anthem-to-pay-16m-in-record-data-breach-settlement . live .
- Web site: Trade . Steven . Blue Cross Entities Want Out Of Anthem Data Breach MDL . Law360 . 8 February 2019 . l360 . 9 February 2019 . https://web.archive.org/web/20190209124519/https://www.law360.com/articles/730750/blue-cross-entities-want-out-of-anthem-data-breach-mdl . live .
- Web site: Plaintiffs' Counsel Announce $115 Million Proposed Class Action Settlement in Anthem Data Breach Litigation. 2017-06-23. Market Watch. 8 February 2019. mw. 2019-02-09. https://web.archive.org/web/20190209124138/https://www.marketwatch.com/press-release/plaintiffs-counsel-announce-115-million-proposed-class-action-settlement-in-anthem-data-breach-litigation-2017-06-23. live.
- News: Pierson . Brendan . Anthem to pay record $115 million to settle U.S. lawsuits over data breach . 23 June 2017 . Reuters . 8 February 2019 . pierson . 9 February 2019 . https://web.archive.org/web/20190209124110/https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML . live .
- Web site: Andrews . Greg . Anthem data-breach judge OKs huge fee award, but not as much as attorneys wanted . Indianapolis Business Journal . 8 February 2019 . ibj . 20 August 2018 . 9 February 2019 . https://web.archive.org/web/20190209180034/https://www.ibj.com/articles/70144-anthem-data-breach-judge-oks-huge-fee-award-but-not-as-much-as-attorneys-wanted . live .