Slashdot Mirror
US Health Insurer Anthem Suffers Massive Data Breach
An anonymous reader writes Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals. Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company's CEO Joseph Swedish in a public statement, in which he says they were the victims of a "very sophisticated external cyber attack." The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them.
Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised." (Also covered by Reuters.)
Huge databases full of personal info are gigantic targets, and properly securing them is very very difficult (and what's worse, uneconomical, since most of them are owned by publicly traded companies)..
Pandora's box is open now, but don't say the tinfoiled warriors didn't warn you..
He tried to kill me with a forklift!
The hell you say! I'm sure all that money they saved not building an adequate infrastructure is much more than this breach will cost them. Oh, wait...
Never underestimate the power of stupid people in large groups.
Grind your axe somewhere else. You don't like the ACA? Write your congressman. Fuck off.
Never underestimate the power of stupid people in large groups.
So of the roughly 300 million people with SSNs, nearly a third of them are nearly compromised? Great.
Why is a healthcare insurance provider collecting income information on the people they insure? That's none of their business. The answer is probably 'just because they can,' but that doesn't mean I have to like it.
What, you weren't buying medical insurance before Obamacare? I find that hard to believe...
Always stuck me as silly that your SSN was supposed to be secret and is used as a password. But you can never change it and you have to give to everyone including companies like this that lose it. Seems like the SSA should also give you a password that you can update that places could authenticate against. That way if you suspect a breach and you could update that number. Something like they you come in verify your identity and give you a new PIN.
When I see a new doctor, they always demand a SS# along with all of your personal information.
And when I tell them that I am uncomfortable with it, I always get a stern and rude demand. Any explanation of how insecure medical is - those people email and fax that information willy nilly - I get this "I'm full of shit look."
I hope those people get their identity stolen and their credit ruined so they can learn a lesson.
Don't worry, they are going to give you a free trial of credit monitoring... The credit monitoring company probably even gives them a kickback for referring 80 million potential new customers after the 1 year trial subscription expires!
Maybe they should change their name to Anathema Insurance
Demented But Determined.
My congresscritter has managed to vote to repeal ACA 50+ times since it was passed. Got any ideas on how to make him stop? Letter writing didn't help. Voting against him didn't help either.
Sadly, in the absence of data protection laws which makes corporations liable for this, this will continue.
Unless companies carry a real cost for failing to secure this stuff, they'll continue to treat this as an afterthought.
But apparently forcing corporations to not be clueless and careless idiots would somehow be a bad thing.
Sorry, but if you need to have private information like that, you need to be accountable. If you aren't going to make companies accountable, don't allow them to have the data in the first place.
Lost at C:>. Found at C.
Simply WTF. If nothing else but "names, birthdays, medical IDs/social security numbers" would've been stolen, that in itself would've been much more then acceptable. Hell, one would expect the most sensitive data of people would be more protected... At the very least, the company should cover IDtheft protection expenses for _all_, for at least a year, maybe more. Plus, they should be fined, with such a large amount that they'd get scared, and start implementing _real_ data protection policies. Yeah, you wish...
At companies and agencies handling such data, _all_ kinds of data leaks or thefts should be treated as criminal offenses and they should be punished, I mean really punished. If you can't handle the protection of the data, don't handle them in the first place.
While I also consider the thieves to be criminals, I'm more angry with those, who simply are inept to protect their best assets, even more so since they have the money, manpower and resources to do so.
Also, I'd like to see a national blacklist established, with all companies and agencies on it, who had similar massive data breaches, and made publicly available, so as everyone could judge and decide whether they'd like to entrust their data to such idiots.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Not saying this to be a dick. Saying it because the way you come across right now is as someone who takes pride in stuffing jargon in the faces of others.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Well, that's democracy in its current form for you. In 2010 the GOP got to re-draw congressional districts, and they gerrymandered them in such a way that anyone other than a staunch right-wing Republican will never ever get elected. You could run Jesus against the GOP candidate and it would be close.
Never underestimate the power of stupid people in large groups.
Its nice that they notified us today that our information was breached, but the real question is why they didn't notify us sooner.
They setup a specific website about this breach.
http://anthemfacts.com/
The problem to me is that they just now notified us, yet they registered the domain for the breach on 2014-12-13. Which goes to show that they knew about the breach nearly 2 months (or possibly more) before deciding to inform us.
and they gerrymandered them in such a way that anyone other than a staunch right-wing Republican will never ever get elected
You mean, like the Democrats have done forever in places like Maryland? The way they've tortured the district boundaries in that state is a showcase for craven political monoculture at the state legislature level. That even Marylanders got so sick of the lefty power plays that they refused to coronate the dem governor's anointed successor and went with a relatively unknown Republican in November is pretty telling.
Don't disappoint your bird dog. Go to the range.
So, you've got a 100k of disposable income sitting around just in case you had to say in the hospital for a week? Well, good for you, but I don't want the likes of you setting public policy, you know.
A successful API design takes a mixture of software design and pedagogy.
Yes, the behavior is totally defensible because the other side does it as well.
Except, you know, not.
Never underestimate the power of stupid people in large groups.
Has any information been release regarding how the attack was performed?
The information needs to be accessible. The insurance company has to access it, of course, as well as partners like billing and collection companies, doctors and hospitals query the system, and to enforce ACA the IRS needs access, the state exchange you bought it through ... Probably three more types of entities I'm not thinking of off the top of my head. I'd bet there are at least a dozen different government agencies involved with ACA who can query your information.
If the IRS, the insurance company, the hospital, the state, and the billing company can read the data, the bad guy can read it too. The data may very well be encrypted on-disk, so if someone stole the hard drive they couldn't easily read it. It has to be decrypted by the system, though in order to be useful. Therefore, any encryption used must be mostly "feel good" encryption that doesn't actually do much to protect your data.
To protect it, we first need address the issue that all of these different companies and government agencies get access - treat it as PRIVATE data, not to be passed around. THEN effective measures could be put in place to ensure it never leaves the insurance company's network.
I'll specifically address two things you mentioned:
> why not just keep any encryption keys in memory only where it's that much harder to get them
So the computer system has access to the decrypted data, because it has the key. The bad guy has control of the computer system ...
> these systems are already hugely expensive and it makes it incredibly difficult for anyone without physical access to get at the actual data.
So only the guy in the server room can access any patient^H^H^H^H^H^H customer data, for a company with millions of customers? That's going to be one busy guy! Roughly everyone who works at the insurance company needs some access to their customers' information, so it has to be on the network. The IRS demands access too, so the insurance company has to connect it to the internet.
Its not just naked hypocrisy though. The situation is more like you have a gun on someone, who wants you to put it down; but you are like 99% certain the moment you do they are going to run over pick it up and point it at you.
Dems have use gerrymandering in the past, they would again if positioned to do so; or resort to some other dirty trick like trying to limit corporate donations while leaving the door open for unlimited union contributions. Or for that matter attaching a major heal care overhaul to the budget reconciliation process for the express cause of preventing the other side from having a floor vote or the opportunity to propose amendments they were sure would cause the legislation to fail.
No you can't expect one side to unilaterally disarm. It would be political suicide for those who are in it for the power, and needless surrender for those who are actually fighting for something on principle. The problem is our political system does not really allow for the creation of an enforceable bilateral agreement to "cut the crap" and actually behave democratically rather than seeing what you can get away with via process tricks and legal wrangling. In short there really is no solution until one side manages to suppress the other entirely (where we all lose).
The real question is can the DNC run out the clock until such time the GOP demographically can't win; or with GOP first succeed in sufficiently controlling participation and eligibility such that it won't matter. I am pretty pessimistic that the idea of "government by and for the people" has much chance for survival. So I say choose your sides folks, you can have the socialist boot in your face, or the fascist boot up your ass, its mostly likely going to be one or the other.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
So it's so gerrymandered towards Democrats a Republican got voted in....yeah seems legit.
You're (deliberately, no doubt) confusing congressional elections with gubernatorial elections. That you're even putting forth an opinion on the matter while being (or pretending to be) that clueless is pretty funny. Or would be, if it wasn't clear whether or not you vote using that same brain.
Don't disappoint your bird dog. Go to the range.
The potential exposure for individual financial fraud and identity theft is really bad with this but it's not the only concern. With this breach they have SSN plus detailed employment info for what probably amounts to nearly every employee at any company who uses Anthem for their health plans. What do 90% of helpdesks ask for when resetting something like a password or issuing one-time use tokens for 2-factor authentication? Last 4 of your SSN. With a little work to figure out a few things like login ID formats this data could be used as a jumping off point to target any of the thousands of companies that use Anthem for their employee health plans, across who knows how many industries. This could be the breach that keeps on breaching for a long time to come.
I browse on +1 so AC's need not respond, I won't see it.
NO.
The better way to fix this is to require strict liability to the Credit reporting agencies. If they put data in your credit report that is false, If they link you to debt that you actually didn't take out, then they have unlimited liability to damages to you plus statutory punitive damages.
The hell, if when they come and sell me credit protections services isn't extortion i don't know what is.
"Nice credit score you have. It would be a shame if someone stole your identity and messed that up so that we had bad info for you in our database. Pay us per month and we will ensure that doesn't happen"
When credit agencies actually start pushing banks and other creditors for ACTUAL proof that it was that person, then the whole industry will quit using SSN's as ID's, which they aren't.
Yes, the behavior is totally defensible because the other side does it as well.
This coming from the person that (a) was the one that brought up gerrymandering, (b) only mentioned the GOP, and (c) vilified the GOP.
A very consistent thinking process you have. You will slam them publicly when the GOP does it, but you will also make every attempt to avoid saying that the DNC is also doing it.
When confronted with your hypocrisy you shrug it off and again make sure to not directly say that the DNC is also guilty but instead say "the other side."
Intellectual honesty is only intact when its from start to finish. When it isnt from start to finish, you are just a partisan asshole.
"His name was James Damore."
The GOP controls enough state governments to put them in a majority in both houses of Congress, despite their unpopularity with the general population. Whether it's the national org or the state ones, it's still the same thing. The state parties do what the national party tells them, more or less, lest they find themselves primaried.
Justice is supposed to follow the law, not make decisions based soley on politics. If there were something illegal or unethical in the re-districting that they could make a case against, then they would. If it's clean (albeit distasteful) then what the hell is Justice supposed to do about it? Should Holder have rejected it because he reports to a Democratic president? Sure, Holder can play politics by deciding what to prosecute and how to exercise his executive authority, but if there's nothing there, there's nothing there. And I guarantee you they went over that redistricting with a microscope.
Never underestimate the power of stupid people in large groups.
How did they get it in the first place? Probably through my employer of course.
Of course, they do not even acknowledge it on their FAQ any more, that was quickly removed.. Now it only says "employment information".
Not that political parties up here in Canada don't pull self-serving stunts, but how the US has allowed the architecture of its electoral system to become part of the partisan machine boggles the mind.
The world's burning. Moped Jesus spotted on I50. Details at 11.
By now my SSN must have been stolen several times from several different organizations that simply did not do their jobs properly. If there are consequences of this breach for me and I sue Anthem they'll just point to any of the many other ways in which my PII has been mishandled as a reason to dodge blame. Everyone uses the SSN, even costco asked for my SSN to join (I refused, but I bet there are many who didn't).
The change has to be in the meaning of the SSN, If the government wants a unique numeric name for any individual I understand, but it's not the same as proof of ID. Proof of ID needs to be either something biometric or something to do with your relationships to other people (but then, Anthem gave away as much of that as they possibly could too).
Nullius in verba
Its selfish to not want to be told by someone else what to do?
It's called civilization. If I want to masturbate in public, or kill people, or be a pedophile, or be a cannibal. Or steal from my neighbors and sell their stuff on ebay, or force my neighbor's wife to have sex with me. I'm not allowed to do those things, It's an infringement upon my freedoms. I am not free to do any of those things without societal repercussions. And I agree with punishments for those things. People should not have the freedom to do those things.
We are a whole lot less "free" than some of us think.
It is the people that think they have an automatic right to tell others what to do that are selfish. This seems to be a common theme in politics today, where a group guilty of something like being selfish, label those that oppose them with what they themselves are actually guilty of.
Read this
http://talkingpointsmemo.com/l...
Now let's discuss.
Okay, I am certain that washing hands after using the toilet is one of those selfish things that intrude upon freedom. It actually is a restriction. If I have to do something, I am not free from doing exactly as I wish. I am restricted from my freedom to get my coliform bacteria laden shit on people's food. And senator Sen. Thom Tillis (R-NC) agrees with that.
Do you? Is fundamental freeddom do whatever you feel like doing so sacrosanct that you would be willing to allow your child to die with their internal organs destroyed be a massive e coli infection just so someone doesn't have to wash their hands? Even if we're not in "Think of the Children mode", are you willing to die because an employee enjoys greater freedom to
He is fine with that. And his other bit of batshit crazy supidity was that he supported restaraunts having to put up a sign saying they didn't require employees to wash their hand after a steaming hot crap. if they don't want to require their employees to have to wash their hands.
Which of course is a regulation, and regulations are bad, and it infringes upon the freedoms of the owner of the restaurant. I is the final answer "Eat Shit and die, it's the way of freedom"?
This is the problem when Libertarianism gets married to Fundamentalist Republicanism. We end up making insane statements. Probably very few people want to eat fecal matter. It's been a known disease vector for a long long time. But when you decide that every law and regulation is an assault upon your freedom, and therefore evil, you get stuck in a potatofest of having to support insane ideas like a complete abandonment of basic hygiene, with Two Girls, One Cup notwithstanding.
It is not selfish to want to avoid other peoples tyranny. You dumb fuck.
Meh, Define that tyranny? Is it being required to wash your hands? Is it not allowing you to kill anyone you feel like killing? Not being allowed to have sex with your daughter? All are societal restrictions on your freedom. You would be much more free if you could do any of those things, without society judging or impeding you.
This is where all of the faux libertarian arguments fail. Everything a litmus test, and when hoist by your own petard, you end up having to make up things like requiring employers to put up sighns that only violate your own litmus tests. There is no civilization without restrictions on behavior. The faux libertarian world is nothing more than modern day crypto-anarchy.
And you calling me a "dumb fuck" is just illustrative of every conversation I have with faux libertarians. All insult, no content.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
So both sides are doing it, but you only want to vilify the GOP for doing it. Is that about right?
Yes. Gerrymandering by the Republicans and gerrrymandering by the Democrats are not the same. The Democrats started it (Gerry was a Democrat) but the Republicans are much better at it. There are plenty of geographic regions that are more than 90% democrat. These are mostly urban areas with large minority populations. But if you go to the reddest of the red states, say some rural county in Utah, you will find that it is only about 70% Republican. Democrats are just inherently more concentrated, and it is easier to isolate their votes into a few urban districts where they overwhelmingly dominate, leaving the Republicans to sweep the suburbs with 55% or so.