Reports hit the net this morning of a massive data breach affecting the customers of Anthem, Inc., the US’ second largest health insurer. While the reports are initial and preliminary, the breach may be the largest ever in the healthcare vertical and rank high in the largest ever. Some sources report Anthem’s database holds details on as many as “…80 million current and former U. S. customers….” while others indicate the carrier admits to having been “…comprehensively ransacked….”
Anthem’s official statement from CEO Joseph Swedish states their “…state-of-the-art information systems…[were] the target of very sophisticated external cyber attack…” It also discloses that data including “…names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data…” are compromised. The statement makes the point that there is no evidence so far that credit card or medical information was lost, while tacitly acknowledging identify theft is likely.
While bankcard issuers will be pleased to learn no credit card data, and those insureds with health conditions they prefer to mean confidential may be encouraged, the breach inevitably will yield a field day for identity thieves. A trove of data as large as will surely be shown for the Anthem health data breach, with both social security numbers (SSNs) and employment details with income details, sets a platform for methodical exploit that will likely go on for years. The market for medical identification details is surging, according to Fortune Magazine, because the data is valuable for more than just committing financial fraud. The details can be used to defraud Medicaid/Medicare for health benefits, sold to marketers seeking to target individuals with specific health conditions, even creating false personas for passports or visas.
While it will be weeks or months before the technical analysis of the Anthem data breach is released, two circumstances are likely. First, Anthem placed too high reliance on perimeter security, focusing on keeping attackers out, without taking into account the infrastructure complexity of such a large, dispersed organization leads to inevitable failure. Second, once the perimeter was pierced, data inside had insufficient safeguards to protect its privacy. It will be interesting to learn to what degree, if any, the internal data was protected by encryption, cited by many as the best line-of-defense for data privacy protection, and if it was not, what obstacles prevented Anthem from applying encryption more broadly.
To learn about the keys to unlocking the successful broad-scale use of encryption to achieve your data protection goals, click on the image below.