Slashdot Mirror
US Health Insurer Anthem Suffers Massive Data Breach
An anonymous reader writes Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals. Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company's CEO Joseph Swedish in a public statement, in which he says they were the victims of a "very sophisticated external cyber attack." The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them.
Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised." (Also covered by Reuters.)
for forcing everyone to sign up for Obamacare.
Huge databases full of personal info are gigantic targets, and properly securing them is very very difficult (and what's worse, uneconomical, since most of them are owned by publicly traded companies)..
Pandora's box is open now, but don't say the tinfoiled warriors didn't warn you..
He tried to kill me with a forklift!
The hell you say! I'm sure all that money they saved not building an adequate infrastructure is much more than this breach will cost them. Oh, wait...
Never underestimate the power of stupid people in large groups.
So of the roughly 300 million people with SSNs, nearly a third of them are nearly compromised? Great.
Why is a healthcare insurance provider collecting income information on the people they insure? That's none of their business. The answer is probably 'just because they can,' but that doesn't mean I have to like it.
Always stuck me as silly that your SSN was supposed to be secret and is used as a password. But you can never change it and you have to give to everyone including companies like this that lose it. Seems like the SSA should also give you a password that you can update that places could authenticate against. That way if you suspect a breach and you could update that number. Something like they you come in verify your identity and give you a new PIN.
When I see a new doctor, they always demand a SS# along with all of your personal information.
And when I tell them that I am uncomfortable with it, I always get a stern and rude demand. Any explanation of how insecure medical is - those people email and fax that information willy nilly - I get this "I'm full of shit look."
I hope those people get their identity stolen and their credit ruined so they can learn a lesson.
Don't worry, they are going to give you a free trial of credit monitoring... The credit monitoring company probably even gives them a kickback for referring 80 million potential new customers after the 1 year trial subscription expires!
Maybe they should change their name to Anathema Insurance
Demented But Determined.
Sadly, in the absence of data protection laws which makes corporations liable for this, this will continue.
Unless companies carry a real cost for failing to secure this stuff, they'll continue to treat this as an afterthought.
But apparently forcing corporations to not be clueless and careless idiots would somehow be a bad thing.
Sorry, but if you need to have private information like that, you need to be accountable. If you aren't going to make companies accountable, don't allow them to have the data in the first place.
Lost at C:>. Found at C.
Simply WTF. If nothing else but "names, birthdays, medical IDs/social security numbers" would've been stolen, that in itself would've been much more then acceptable. Hell, one would expect the most sensitive data of people would be more protected... At the very least, the company should cover IDtheft protection expenses for _all_, for at least a year, maybe more. Plus, they should be fined, with such a large amount that they'd get scared, and start implementing _real_ data protection policies. Yeah, you wish...
At companies and agencies handling such data, _all_ kinds of data leaks or thefts should be treated as criminal offenses and they should be punished, I mean really punished. If you can't handle the protection of the data, don't handle them in the first place.
While I also consider the thieves to be criminals, I'm more angry with those, who simply are inept to protect their best assets, even more so since they have the money, manpower and resources to do so.
Also, I'd like to see a national blacklist established, with all companies and agencies on it, who had similar massive data breaches, and made publicly available, so as everyone could judge and decide whether they'd like to entrust their data to such idiots.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Not saying this to be a dick. Saying it because the way you come across right now is as someone who takes pride in stuffing jargon in the faces of others.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Comment removed based on user account deletion
Its nice that they notified us today that our information was breached, but the real question is why they didn't notify us sooner.
They setup a specific website about this breach.
http://anthemfacts.com/
The problem to me is that they just now notified us, yet they registered the domain for the breach on 2014-12-13. Which goes to show that they knew about the breach nearly 2 months (or possibly more) before deciding to inform us.
Why does a Health Insurer need information about income?
And why is all that data in the same database and is anyone allowed to pull ALL data?
I am actually surprised that a private insurance got hacked before healthcare.gov, is the government actually better in securing their data?
Lol, you can't seriously think they bought this domain just for this.
Yell at them for requiring it.
I don't yell; I sue and file criminal complaints.
In the old days, the insurance companies used your SS# as your member #. They stopped doing that years ago but the doctor's office workers do not know that.
But they also demand it for collection reasons.
That's the REAL reason doctors office demand it: collections. Meaning when you go and the insurance doesn't cover everything and you can't pay the balance, off to a collections agency.
I thinks that all bullshit in this country. If a doctor signs a contract with my insurer for payment amounts, they should take that amount and none of this BS of coming for the balance from the patient. I also think it's unethical.
Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
Security was breached, personal information was stolen, but no CC or medical information. Can they tell us what prevented the theft of medical information? How can that information be used to prevent the future theft of data with other companies? Using the same methods, could it protect things like employment info and income data? Can systems be designed to be more bullet proof?
My first guess is that the medical information was on different servers, maybe at different locations, and access to those systems was not that easy. Given the fact that systems will be broken into, how can you design these big information systems in such a way that only a limited amount of data can be stolen?
Has any information been release regarding how the attack was performed?
OpenBSD, as thse
Every new huge data breach means more opportunities for identity theft. More and more ruined (and practically irreparable) credit records.
Eventually enough people will have such bad credit scores, justly or not, that lenders will have to either a) not lend or b) assume higher and higher risk thresholds.
Once a critical mass is reached, the whole rotten credit industry comes crashing down. Panic ensues.
Maybe then we'll get something like effective reform. Or a primitive cash-or-barter economy. Either would be an improvement.
The information needs to be accessible. The insurance company has to access it, of course, as well as partners like billing and collection companies, doctors and hospitals query the system, and to enforce ACA the IRS needs access, the state exchange you bought it through ... Probably three more types of entities I'm not thinking of off the top of my head. I'd bet there are at least a dozen different government agencies involved with ACA who can query your information.
If the IRS, the insurance company, the hospital, the state, and the billing company can read the data, the bad guy can read it too. The data may very well be encrypted on-disk, so if someone stole the hard drive they couldn't easily read it. It has to be decrypted by the system, though in order to be useful. Therefore, any encryption used must be mostly "feel good" encryption that doesn't actually do much to protect your data.
To protect it, we first need address the issue that all of these different companies and government agencies get access - treat it as PRIVATE data, not to be passed around. THEN effective measures could be put in place to ensure it never leaves the insurance company's network.
I'll specifically address two things you mentioned:
> why not just keep any encryption keys in memory only where it's that much harder to get them
So the computer system has access to the decrypted data, because it has the key. The bad guy has control of the computer system ...
> these systems are already hugely expensive and it makes it incredibly difficult for anyone without physical access to get at the actual data.
So only the guy in the server room can access any patient^H^H^H^H^H^H customer data, for a company with millions of customers? That's going to be one busy guy! Roughly everyone who works at the insurance company needs some access to their customers' information, so it has to be on the network. The IRS demands access too, so the insurance company has to connect it to the internet.
"Employment information" would potentially cover a lot of different things. Employer, job title, years of service, etc. Verifying title against income, an attacker could easily target employees who would have access to key systems within a corporation, and use the given email address as a starting point to launch those attacks.
Attacking an insurance company provides a goldmine for any nation-state looking that wants to perform espionage against US companies. My first guess is that they didn't WANT the financial information.
Under the current set of regulations, the information needs to be accessible. The insurance company has to access it, of course, as well as partners like billing and collection companies, doctors and hospitals query the system, and to enforce ACA the IRS needs access, the state exchange you bought it through ... Probably three more types of entities I'm not thinking of off the top of my head. I'd bet there are at least a dozen different government agencies involved with ACA who can query your information.
If the IRS, the insurance company, the hospital, the state, and the billing company can read the data, the bad guy can read it too. The data may very well be encrypted on-disk, so if someone stole the hard drive they couldn't easily read it. It has to be decrypted by the system, though in order to be useful. Therefore, any encryption used must be mostly "feel good" encryption that doesn't actually do much to protect your data.
To protect it, we first need address the issue that all of these different companies and government agencies get access - treat it as PRIVATE data, not to be passed around. THEN effective measures could be put in place to ensure it never leaves the insurance company's network. So long as the IRS demands access to query it, it has to be accessible via the internet.
"very sophisticated external cyber attack."
Some some kid walked into the server room with a usb key and copied all the files.
That's 80 million social security numbers connected to personally identifiable information.
It should now be illegal to use it as the "secure" way to identify someone.
For sensitive information like financial or medical data, it may be time to physically isolate the main data warehouse so any non-insider breach would only compromise records that had been copied to a "front end server" for short-term use.
Here is how it might work:
You have a back-end data warehouse that holds all of your records.
You have a "smart filter" that mediates access to this back-end database. This filter looks for suspicious behavior and alerts real human beings when things start to look funky. Ideally this "smart filter" would be "invisible" to both the "back-end data warehouse" and the "front end cache" which I will describe shortly. This "invisibility" will make it much harder to compromise.
You have a "front-end cache" that contains holds copies of information from the back-end data warehouse for a very short time - hours or days for most types of information.
It is this "front end cache" that bank tellers, ATM machines, home-banking web servers, etc. access.
If the front-end cache gets compromised and all of its data stolen, there will be a loss but it won't be nearly as big as the loss of having the entire data warehouse compromised.
If the front-end cache gets compromised in a way that causes it to start querying the back-end data warehouse for lots of data, alarms will go off.
This system is designed to mitigate damage, not prevent it entirely. It is meant to augment, not substitute, for existing security measures. By itself, it does nothing to protect against spear-phishing or to protect against a non-greedy adversary who is content to get only a small fraction of the total data available. But depending on how much it limits the damage when a breach does occur, it may be well worth the cost.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
That sort of thing [holding higher-ups accountable] only happens in China
In theory and I'm sure sometimes in practice, it also happens in the US military. In some situations, if a service member violates orders and his boss doesn't fix the problem pronto or fails to see a problem that it's his job to see, he gets punished.
I say "in theory" because as with many organizations where "who you know" and "your perceived value to the organization" are unwritten factors in who takes the blame when things go wrong, there are probably plenty of times when the rules say such punishment should happen but the reality is that it does not.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The potential exposure for individual financial fraud and identity theft is really bad with this but it's not the only concern. With this breach they have SSN plus detailed employment info for what probably amounts to nearly every employee at any company who uses Anthem for their health plans. What do 90% of helpdesks ask for when resetting something like a password or issuing one-time use tokens for 2-factor authentication? Last 4 of your SSN. With a little work to figure out a few things like login ID formats this data could be used as a jumping off point to target any of the thousands of companies that use Anthem for their employee health plans, across who knows how many industries. This could be the breach that keeps on breaching for a long time to come.
I browse on +1 so AC's need not respond, I won't see it.
If you pay for services in advance and tell him you will file your own insurance paperwork for reimbursement, then he will not only want your business more than if you don't, but he won't have any insurance/banking/collection reason to need your SS#.
This will leave only a few reasons why he might ask for it:
* Some federal or state law requires it (doubtful, but possible)
* He's part of a larger practice which requires the SS# (possible)
* His patient-tracking or -payment system chokes without it (very likely) and he doesn't know how to work around that problem (also very likely).
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A private key should be easy enough to print out.
If everyone had such keys I would make at least two encrypted copies, one each with the public keys of people I trusted and who I believed would be accessible, such as my parents or a sibling if they lived nearby.
Then I would print out the encrypted copies. I would keep one of each for myself and store one of each someplace else.
This way, if I lost my key-fob I could go to one of them and get it re-made. If my house burned down taking my key-fob and my printed copies with it, I could still re-create the key fob.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So only the guy in the server room can access any patient^H^H^H^H^H^H customer data, for a company with millions of customers? That's going to be one busy guy! Roughly everyone who works at the insurance company needs some access to their customers' information, so it has to be on the network. The IRS demands access too, so the insurance company has to connect it to the internet.
The notion of an operator-provided or operator-unlocked key is the way it used to work "back in the days" when every server had a monitor plugged into it. You would provide a password on bootup which was a mini-key to decrypt the actual SSL/TLS keys. It would get stashed in memory at that point and (hopefully) operator intervention wouldn't be needed again until the next scheduled reboot. Before too long, the threat of in-memory attacks far eclipsed the threat of physical server theft and this practice was ditched.
NO.
The better way to fix this is to require strict liability to the Credit reporting agencies. If they put data in your credit report that is false, If they link you to debt that you actually didn't take out, then they have unlimited liability to damages to you plus statutory punitive damages.
The hell, if when they come and sell me credit protections services isn't extortion i don't know what is.
"Nice credit score you have. It would be a shame if someone stole your identity and messed that up so that we had bad info for you in our database. Pay us per month and we will ensure that doesn't happen"
When credit agencies actually start pushing banks and other creditors for ACTUAL proof that it was that person, then the whole industry will quit using SSN's as ID's, which they aren't.
Seems to be annual ritual now. Just watch accounts and credit histroy.
That is not a bad idea.
The bad guys took every other piece of relevant data about you, but not your credit card data; ya, right.
The key thing here is that most of these details are write-once, read-rarely. How often is a Social Security number actually needed? At sign-up and then only if there is a problem, like unpaid debts. So why is it even in the computer to begin with? Put it on a piece of paper, file it in a well organized records room and in that rare case of needing it, have a couple of minimum wage people on staff whose job is to go pull paper records. Same thing with date of birth - nobody needs the specific date, for all medical purposes the year alone is more than sufficient, probably even a 5-year range is good enough.
With paper the risk of wholesale data-theft is reduced to the people who have access to the room and how many file folders they can sneak past a security guard.
The only reason this stuff is in the computer anyway is because of a "collect it all mentality" nobody has considered the risks of electronic records, only the benefits such that even the most minimal benefit is considered sufficient reason to justify putting it in a database. Start doing a full cost/benefit analysis and many of these database choices will look like bad ones.
It placed a SHIT LOAD of trust in the key fob, thus making identity theft a shit load easier!
The more security is put in place, the less it is questioned by those checking authentication. The end result is a less-secure system.
though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Whew... what a relief! I was really worried there for a minute...
Which has more power: the hammer, or the anvil?
How did they get it in the first place? Probably through my employer of course.
Of course, they do not even acknowledge it on their FAQ any more, that was quickly removed.. Now it only says "employment information".
If the IRS, the insurance company, the hospital, the state, and the billing company can read the data, the bad guy can read it too. The data may very well be encrypted on-disk, so if someone stole the hard drive they couldn't easily read it. It has to be decrypted by the system, though in order to be useful.
That isn't really true. A well-designed system (they do exist) would leave the decryption to a dedicated security module, separate from where the data is stored. To gain access to the data you first establish a secure connection to the data store, authenticate yourself, and retrieve the encrypted data. You then connect to the security module, re-authenticate, and present the encrypted data along with a (crypographically signed) request for decryption. The security module logs and validates the request, decrypts the data, and sends the plaintext back to the client through the encrypted connection. At no point does any system other than the security module and the client's computer have access to the plaintext, and the rules for validating requests can be as strict as you like.
The security module is an obvious target for attack, but it's also a single-purpose system on which you can focus all your security-hardening efforts.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
By now my SSN must have been stolen several times from several different organizations that simply did not do their jobs properly. If there are consequences of this breach for me and I sue Anthem they'll just point to any of the many other ways in which my PII has been mishandled as a reason to dodge blame. Everyone uses the SSN, even costco asked for my SSN to join (I refused, but I bet there are many who didn't).
The change has to be in the meaning of the SSN, If the government wants a unique numeric name for any individual I understand, but it's not the same as proof of ID. Proof of ID needs to be either something biometric or something to do with your relationships to other people (but then, Anthem gave away as much of that as they possibly could too).
Nullius in verba
"Someone's gonna kiss the donkey." -- Battleship
Uh, Linux geek since 1999.
"or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
This is an out and out lie. They are just trying to avoid being on the hook for a bankruptcy-sized HIPAA violation.
Upon learning about this incident... I immediately logged in and changed my pw at anthem.com. I've also updated passwords on every other thing that I have access to on the internet....
Comment removed based on user account deletion
Comment removed based on user account deletion
>. Why does the IRS need access to medical records, anyway? Financial records, sure -- but diagnostics, etc? Seems a bit odd.
The IRS has a major role in administering the ACA (Obamacare). The agencies in part write their own regulations about what they want to have access to.
It would be possible to architect a reasonably sane national system, yes. I was speaking from the point of view of one insurance company. They have to provide the various agencies that administer ACA the access that the agencies demand. They can't force HHS or IRS to to use the security hardware that the insurance company a selects.
Even with a sane national system, a hospital should be able to query certain information from the insurers. That actually means each low-level hospital employee handling claims can query the data. When the hospital employee clicks on Britney spearssextape.mpg.pif ...
We probably got hacked by our own government.
https://www.youtube.com/c/BrendaEM
I was speaking from the point of view of one insurance company. They have to provide the various agencies that administer ACA the access that the agencies demand.
Under the system I described, the insurance company can provide any level of access required. Even a full database dump, if necessary—just make sure it's locked down so that such requests can only come the agency needing access. If they want to use their own transfer protocol, arrange for a hardened proxy server and do whatever protocol translation you need at that point. If your database gets hacked through an insecure interface demanded by some external agency, there will be a log entry recording that proxy as the source and everyone will know who is to blame.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Fuck you, I was required by law to get medical insurance and I ended up with Anthem. I didn't want this at all and now I'm a victim of it
You've got 100K extra just lying around solely reserved for medical expenses? Sounds like it's time to get out the tax hammer and start whackin at your piggy banks, ya greedy prick.
Hey dumb shit! The proper syntax for that statement is one of the following:
It is not selfish to want to avoid other peoples tyranny COMMA you dumb fuck.
It is not selfish to want to avoid other peoples tyranny. You ARE a dumb fuck.
You know nothing, dumbfuck.
The Google Analytics tag on their site is not from Anthem but from http://www.webteks.com/
It is silly that a medical site uses Google Analytics but it is even more silly that the data can be seen by an external small web developer.
How can they be the "second-largest" when I've never heard of them, and they don't even show up in the top 125 list:
http://www.freedombenefits.net/affordable-health-insurance-articles/Largest-125-US-Health-Insurance-Companies.html
In the US you give blanket authorization for the healthcare provider to share your information with insurers and other third-parties when you signed that HIPAA authorization form at your first visit. You did read that, right?
Here's a sample authorization form: https://www.caring.com/forms/h....
So, I saw this ad, on Craigslist.
Now, what is described, here, is NOT so much a director's duties, but, rather, more, a senior systems administrator's duties.
And so, apparently, the "director" is title inflation, to offset the lack of salary - which was not mentioned.
But I replied, anyway ...
The Human Resources manager was quick to respond:
I confirmed 10:00, Friday morning ... but never received a reply.
So I sent another email, asking for an acknowledgement.
I also informed them that, between an older version of Skype installed on an older computer, running an older operating system ... and my home's limited bandwidth ... that, as a result of previous experiences with Skype not delivering an adequate grade of interconnectivity ... might we not do the interview, via telephone?
The Human Resources manager then, without replying to my request, rescheduled the interview:
I af