Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Health Insurer Anthem Suffers Massive Data Breach

Posted by timothy on from the news-I-can-use dept.

An anonymous reader writes Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals. Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company's CEO Joseph Swedish in a public statement, in which he says they were the victims of a "very sophisticated external cyber attack." The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them. Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised." (Also covered by Reuters.)

6 of 223 comments (clear)

  1. Re:Incompetent IT in a health care industry? by jellomizer · · Score: 4, Informative

    Working in Health Care, the issue is much harder then you think.
    We have conflicting rules and regulations that we must follow.
    We are by law demanded to keep our data safe, at the same time, we need to share it with others (Insurance Companies, Legal Cases, Governments, individuals, competing health care professionals) at a whim. Complex rules for what is acceptable and not are in place, meaning there is an IT Infrastructure that is older, because it contains an organic set of rules. Dumping the old systems for new ones that are more secure are a major undertaking.
    Even with a skilled IT Staff larger then most organizations it is nearly impossible to keep up with all the changes required by law, and focus completely on security. Putting in a code freeze until we get security fixed cannot happen.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Re:That's why nobody sensible wants them by SQLGuru · · Score: 3, Informative

    PII should be classified based on sensitivity. At a certain level, that PII must be encrypted during transit. At the highest level, it must be encrypted during transit and at rest. SSN falls in the highest sensitivity level. SOP for years. This doesn't guarantee you won't get hacked, but it reduces / minimizes the impact if you are hacked.

    PII - Personally Identifiable Information
    SSN - Social Security Number
    SOP - Standard Operating Procedure

  3. Re:income data? by Motard · · Score: 5, Informative

    Why is a healthcare insurance provider collecting income information on the people they insure?

    I've worked in employee benefits for over 25 years, and the usual reason is that they are administering more than your health insurance. Often you also have short-term and/or long-term disability insurance, or life insurance. The benefits of these are based on some percentage of your salary. Your short term disability benefit may be 60% of your salary, or your life insurance benefit may be 2 X salary.

    In all my time working for insurers like Anthem I have never been asked to pull salary data for anything not related to the above.

  4. Re:That's why nobody sensible wants them by jellomizer · · Score: 3, Informative

    HIPAA requires all PHI to be encrypted when transmitted.
    The hack got into the systems after the data is at rest. As are most data breaches. There are very few hacks from packet sniffing. (Our infrastructure tends to be using Switches and Routers, instead of the old Hubs, so there is less packets being spread to less than trustworthy areas)
    If you were to encrypt the data a rest, where would you store the key? And if someone could gain access to that key you are in just as much trouble.

    Better rules would be for systems that access PHI, to be off the Internet entirely. So you will have two networks. That are physically on different networks. One where you have the PCs that are hooked to the normal intranet and internet. Then one system just for PHI.
    Now how do we send data from one institution to the next (say from the hospital to the insurance company) Then you will need a trusted point to point encrypted channel. Once the data is send, that point to point needs to be closed, and perhaps physically unplugged from the internet.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Re:SSN as an ID not password by Cmdr-Absurd · · Score: 5, Informative

    It gets better. secure.ssa.gov currently gets an F rating at ssllabs. (Vulnerable to Poodle both sslv3 and TLS).

  6. Re:That's why nobody sensible wants them by qwijibo · · Score: 3, Informative

    Encryption is not a panacea.

    I'm in full agreement that sensitive data should be encrypted, but I've seen too many cases where encryption (even bad encryption) is an excuse for lazy and bad security decisions.

    SSN is a bad "secret" for anything, given how simple and ubiquitous it is. The idea that shared secrets establish identity has been wrong for many years and it's just going to keep getting worse until we, as consumers, can make companies leverage public key cryptography for authentication.

    Policies that require encrypting SSN at rest and PII in transit usually results in a database table with:
    Name
    Address
    Date_of_Birth
    Encrypted_SSN

    That sounds like a step in the right direction, unless you consider that how easy it is to decrypt the SSN. On my laptop, it takes 62 seconds to go through every possible SSN using a script that took me less than 60 seconds to write. Add some time for doing an encrypt operation and lookup for each possible value, but it's clearly possible to brute force the entire SSN range on any computer in a very short amount of time. Ultimately, once someone can get access to the data, they can easily generate every possible encrypted SSN and match up actual value to what's in the table.

    Real world example:
    Cox insisted on having my SSN to get internet service through them. The last 4 of the SSN is used to confirm the user on the web site. They insisted that storing SSN on the internet was safe because it's encrypted. They really want the SSN to be able to track you down if you don't pay and skip town. Most of their customers aren't going to argue with them because they hear that encryption is magic. I eventually convinced a supervisor that their security is a joke and we agreed that my SSN would be in their system as 3.14159265, without the decimal point.

    When people believe that encryption makes their data safe, it allows people to decide to make riskier choices with where the data resides. Encryption is a step in the right direction, but it's just one piece of the security puzzle.