Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Health Insurer Anthem Suffers Massive Data Breach

Posted by timothy on from the news-I-can-use dept.

An anonymous reader writes Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals. Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company's CEO Joseph Swedish in a public statement, in which he says they were the victims of a "very sophisticated external cyber attack." The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them. Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised." (Also covered by Reuters.)

3 of 223 comments (clear)

  1. Re:Incompetent IT in a health care industry? by jellomizer · · Score: 4, Informative

    Working in Health Care, the issue is much harder then you think.
    We have conflicting rules and regulations that we must follow.
    We are by law demanded to keep our data safe, at the same time, we need to share it with others (Insurance Companies, Legal Cases, Governments, individuals, competing health care professionals) at a whim. Complex rules for what is acceptable and not are in place, meaning there is an IT Infrastructure that is older, because it contains an organic set of rules. Dumping the old systems for new ones that are more secure are a major undertaking.
    Even with a skilled IT Staff larger then most organizations it is nearly impossible to keep up with all the changes required by law, and focus completely on security. Putting in a code freeze until we get security fixed cannot happen.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Re:income data? by Motard · · Score: 5, Informative

    Why is a healthcare insurance provider collecting income information on the people they insure?

    I've worked in employee benefits for over 25 years, and the usual reason is that they are administering more than your health insurance. Often you also have short-term and/or long-term disability insurance, or life insurance. The benefits of these are based on some percentage of your salary. Your short term disability benefit may be 60% of your salary, or your life insurance benefit may be 2 X salary.

    In all my time working for insurers like Anthem I have never been asked to pull salary data for anything not related to the above.

  3. Re:SSN as an ID not password by Cmdr-Absurd · · Score: 5, Informative

    It gets better. secure.ssa.gov currently gets an F rating at ssllabs. (Vulnerable to Poodle both sslv3 and TLS).