Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Health Insurer Anthem Suffers Massive Data Breach

Posted by timothy on from the news-I-can-use dept.

An anonymous reader writes Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals. Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company's CEO Joseph Swedish in a public statement, in which he says they were the victims of a "very sophisticated external cyber attack." The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them. Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised." (Also covered by Reuters.)

26 of 223 comments (clear)

  1. That's why nobody sensible wants them by 3.5+stripes · · Score: 5, Interesting

    Huge databases full of personal info are gigantic targets, and properly securing them is very very difficult (and what's worse, uneconomical, since most of them are owned by publicly traded companies)..

    Pandora's box is open now, but don't say the tinfoiled warriors didn't warn you..

    --


    He tried to kill me with a forklift!
    1. Re:That's why nobody sensible wants them by SQLGuru · · Score: 3, Informative

      PII should be classified based on sensitivity. At a certain level, that PII must be encrypted during transit. At the highest level, it must be encrypted during transit and at rest. SSN falls in the highest sensitivity level. SOP for years. This doesn't guarantee you won't get hacked, but it reduces / minimizes the impact if you are hacked.

      PII - Personally Identifiable Information
      SSN - Social Security Number
      SOP - Standard Operating Procedure

    2. Re:That's why nobody sensible wants them by RenderSeven · · Score: 5, Insightful

      It wont stop until we start arresting the CIO's for being complicit in the breaches. My 10-year-old kids get it - "it may not be your fault but its your responsibility" - so why do overpaid do-nothing executives get a free pass when they utterly fail at their job?

    3. Re:That's why nobody sensible wants them by jellomizer · · Score: 3, Informative

      HIPAA requires all PHI to be encrypted when transmitted.
      The hack got into the systems after the data is at rest. As are most data breaches. There are very few hacks from packet sniffing. (Our infrastructure tends to be using Switches and Routers, instead of the old Hubs, so there is less packets being spread to less than trustworthy areas)
      If you were to encrypt the data a rest, where would you store the key? And if someone could gain access to that key you are in just as much trouble.

      Better rules would be for systems that access PHI, to be off the Internet entirely. So you will have two networks. That are physically on different networks. One where you have the PCs that are hooked to the normal intranet and internet. Then one system just for PHI.
      Now how do we send data from one institution to the next (say from the hospital to the insurance company) Then you will need a trusted point to point encrypted channel. Once the data is send, that point to point needs to be closed, and perhaps physically unplugged from the internet.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:That's why nobody sensible wants them by qwijibo · · Score: 3, Informative

      Encryption is not a panacea.

      I'm in full agreement that sensitive data should be encrypted, but I've seen too many cases where encryption (even bad encryption) is an excuse for lazy and bad security decisions.

      SSN is a bad "secret" for anything, given how simple and ubiquitous it is. The idea that shared secrets establish identity has been wrong for many years and it's just going to keep getting worse until we, as consumers, can make companies leverage public key cryptography for authentication.

      Policies that require encrypting SSN at rest and PII in transit usually results in a database table with:
      Name
      Address
      Date_of_Birth
      Encrypted_SSN

      That sounds like a step in the right direction, unless you consider that how easy it is to decrypt the SSN. On my laptop, it takes 62 seconds to go through every possible SSN using a script that took me less than 60 seconds to write. Add some time for doing an encrypt operation and lookup for each possible value, but it's clearly possible to brute force the entire SSN range on any computer in a very short amount of time. Ultimately, once someone can get access to the data, they can easily generate every possible encrypted SSN and match up actual value to what's in the table.

      Real world example:
      Cox insisted on having my SSN to get internet service through them. The last 4 of the SSN is used to confirm the user on the web site. They insisted that storing SSN on the internet was safe because it's encrypted. They really want the SSN to be able to track you down if you don't pay and skip town. Most of their customers aren't going to argue with them because they hear that encryption is magic. I eventually convinced a supervisor that their security is a joke and we agreed that my SSN would be in their system as 3.14159265, without the decimal point.

      When people believe that encryption makes their data safe, it allows people to decide to make riskier choices with where the data resides. Encryption is a step in the right direction, but it's just one piece of the security puzzle.

  2. Incompetent IT in a health care industry? by BVis · · Score: 4, Insightful

    The hell you say! I'm sure all that money they saved not building an adequate infrastructure is much more than this breach will cost them. Oh, wait...

    --
    Never underestimate the power of stupid people in large groups.
    1. Re:Incompetent IT in a health care industry? by jellomizer · · Score: 4, Informative

      Working in Health Care, the issue is much harder then you think.
      We have conflicting rules and regulations that we must follow.
      We are by law demanded to keep our data safe, at the same time, we need to share it with others (Insurance Companies, Legal Cases, Governments, individuals, competing health care professionals) at a whim. Complex rules for what is acceptable and not are in place, meaning there is an IT Infrastructure that is older, because it contains an organic set of rules. Dumping the old systems for new ones that are more secure are a major undertaking.
      Even with a skilled IT Staff larger then most organizations it is nearly impossible to keep up with all the changes required by law, and focus completely on security. Putting in a code freeze until we get security fixed cannot happen.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Re:Thanks Obama by BVis · · Score: 3, Insightful

    Grind your axe somewhere else. You don't like the ACA? Write your congressman. Fuck off.

    --
    Never underestimate the power of stupid people in large groups.
  4. 80 Million? by giltwist · · Score: 5, Insightful

    So of the roughly 300 million people with SSNs, nearly a third of them are nearly compromised? Great.

    1. Re:80 Million? by wezelboy · · Score: 4, Insightful

      Might be a great excuse to replace SSNs with something better- like a key pair.

  5. income data? by SemperUbi · · Score: 3, Interesting

    Why is a healthcare insurance provider collecting income information on the people they insure? That's none of their business. The answer is probably 'just because they can,' but that doesn't mean I have to like it.

    1. Re:income data? by Motard · · Score: 5, Informative

      Why is a healthcare insurance provider collecting income information on the people they insure?

      I've worked in employee benefits for over 25 years, and the usual reason is that they are administering more than your health insurance. Often you also have short-term and/or long-term disability insurance, or life insurance. The benefits of these are based on some percentage of your salary. Your short term disability benefit may be 60% of your salary, or your life insurance benefit may be 2 X salary.

      In all my time working for insurers like Anthem I have never been asked to pull salary data for anything not related to the above.

  6. SSN as an ID not password by Himmy32 · · Score: 5, Interesting

    Always stuck me as silly that your SSN was supposed to be secret and is used as a password. But you can never change it and you have to give to everyone including companies like this that lose it. Seems like the SSA should also give you a password that you can update that places could authenticate against. That way if you suspect a breach and you could update that number. Something like they you come in verify your identity and give you a new PIN.

    1. Re:SSN as an ID not password by Cmdr-Absurd · · Score: 5, Informative

      It gets better. secure.ssa.gov currently gets an F rating at ssllabs. (Vulnerable to Poodle both sslv3 and TLS).

  7. Free credit monitoring! by fastgriz · · Score: 3, Funny

    Don't worry, they are going to give you a free trial of credit monitoring... The credit monitoring company probably even gives them a kickback for referring 80 million potential new customers after the 1 year trial subscription expires!

  8. Badum-tish! by Dr.+Eggman · · Score: 3, Funny

    Maybe they should change their name to Anathema Insurance

    --
    Demented But Determined.
  9. Re:Thanks Obama by internerdj · · Score: 4, Interesting

    My congresscritter has managed to vote to repeal ACA 50+ times since it was passed. Got any ideas on how to make him stop? Letter writing didn't help. Voting against him didn't help either.

  10. And no consequences? by gstoddart · · Score: 3, Insightful

    Sadly, in the absence of data protection laws which makes corporations liable for this, this will continue.

    Unless companies carry a real cost for failing to secure this stuff, they'll continue to treat this as an afterthought.

    But apparently forcing corporations to not be clueless and careless idiots would somehow be a bad thing.

    Sorry, but if you need to have private information like that, you need to be accountable. If you aren't going to make companies accountable, don't allow them to have the data in the first place.

    --
    Lost at C:>. Found at C.
  11. Acronym usage by gcnaddict · · Score: 3, Insightful
    If you're only using an acronym once, expand it in-line. For instance:

    Personally identifiable information (PII) should be classified based on sensitivity. At a certain level, that PII must be encrypted during transit. At the highest level, it must be encrypted during transit and at rest. Social security number falls in the highest sensitivity level. Standard operating procedure for years. This doesn't guarantee you won't get hacked, but it reduces / minimizes the impact if you are hacked.

    Not saying this to be a dick. Saying it because the way you come across right now is as someone who takes pride in stuffing jargon in the faces of others.

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  12. Re:Thanks Obama by BVis · · Score: 3, Interesting

    Well, that's democracy in its current form for you. In 2010 the GOP got to re-draw congressional districts, and they gerrymandered them in such a way that anyone other than a staunch right-wing Republican will never ever get elected. You could run Jesus against the GOP candidate and it would be close.

    --
    Never underestimate the power of stupid people in large groups.
  13. Notice is 2 Months Late by Cigamit · · Score: 5, Interesting

    Its nice that they notified us today that our information was breached, but the real question is why they didn't notify us sooner.

    They setup a specific website about this breach.
    http://anthemfacts.com/

    The problem to me is that they just now notified us, yet they registered the domain for the breach on 2014-12-13. Which goes to show that they knew about the breach nearly 2 months (or possibly more) before deciding to inform us.

  14. Re:Thanks Obama by tibit · · Score: 3, Insightful

    So, you've got a 100k of disposable income sitting around just in case you had to say in the hospital for a week? Well, good for you, but I don't want the likes of you setting public policy, you know.

    --
    A successful API design takes a mixture of software design and pedagogy.
  15. Re:Thanks Obama by BVis · · Score: 3, Insightful

    Yes, the behavior is totally defensible because the other side does it as well.

    Except, you know, not.

    --
    Never underestimate the power of stupid people in large groups.
  16. What was the attack vector? by mdecheser · · Score: 3, Interesting

    Has any information been release regarding how the attack was performed?

  17. Re:Thanks Obama by Rockoon · · Score: 5, Insightful

    Yes, the behavior is totally defensible because the other side does it as well.

    This coming from the person that (a) was the one that brought up gerrymandering, (b) only mentioned the GOP, and (c) vilified the GOP.

    A very consistent thinking process you have. You will slam them publicly when the GOP does it, but you will also make every attempt to avoid saying that the DNC is also doing it.

    When confronted with your hypocrisy you shrug it off and again make sure to not directly say that the DNC is also guilty but instead say "the other side."

    Intellectual honesty is only intact when its from start to finish. When it isnt from start to finish, you are just a partisan asshole.

    --
    "His name was James Damore."
  18. Re:Thanks Obama by Ol+Olsoc · · Score: 5, Insightful

    Its selfish to not want to be told by someone else what to do?

    It's called civilization. If I want to masturbate in public, or kill people, or be a pedophile, or be a cannibal. Or steal from my neighbors and sell their stuff on ebay, or force my neighbor's wife to have sex with me. I'm not allowed to do those things, It's an infringement upon my freedoms. I am not free to do any of those things without societal repercussions. And I agree with punishments for those things. People should not have the freedom to do those things.

    We are a whole lot less "free" than some of us think.

    It is the people that think they have an automatic right to tell others what to do that are selfish. This seems to be a common theme in politics today, where a group guilty of something like being selfish, label those that oppose them with what they themselves are actually guilty of.

    Read this

    http://talkingpointsmemo.com/l...

    Now let's discuss.

    Okay, I am certain that washing hands after using the toilet is one of those selfish things that intrude upon freedom. It actually is a restriction. If I have to do something, I am not free from doing exactly as I wish. I am restricted from my freedom to get my coliform bacteria laden shit on people's food. And senator Sen. Thom Tillis (R-NC) agrees with that.

    Do you? Is fundamental freeddom do whatever you feel like doing so sacrosanct that you would be willing to allow your child to die with their internal organs destroyed be a massive e coli infection just so someone doesn't have to wash their hands? Even if we're not in "Think of the Children mode", are you willing to die because an employee enjoys greater freedom to

    He is fine with that. And his other bit of batshit crazy supidity was that he supported restaraunts having to put up a sign saying they didn't require employees to wash their hand after a steaming hot crap. if they don't want to require their employees to have to wash their hands.

    Which of course is a regulation, and regulations are bad, and it infringes upon the freedoms of the owner of the restaurant. I is the final answer "Eat Shit and die, it's the way of freedom"?

    This is the problem when Libertarianism gets married to Fundamentalist Republicanism. We end up making insane statements. Probably very few people want to eat fecal matter. It's been a known disease vector for a long long time. But when you decide that every law and regulation is an assault upon your freedom, and therefore evil, you get stuck in a potatofest of having to support insane ideas like a complete abandonment of basic hygiene, with Two Girls, One Cup notwithstanding.

    It is not selfish to want to avoid other peoples tyranny. You dumb fuck.

    Meh, Define that tyranny? Is it being required to wash your hands? Is it not allowing you to kill anyone you feel like killing? Not being allowed to have sex with your daughter? All are societal restrictions on your freedom. You would be much more free if you could do any of those things, without society judging or impeding you.

    This is where all of the faux libertarian arguments fail. Everything a litmus test, and when hoist by your own petard, you end up having to make up things like requiring employers to put up sighns that only violate your own litmus tests. There is no civilization without restrictions on behavior. The faux libertarian world is nothing more than modern day crypto-anarchy.

    And you calling me a "dumb fuck" is just illustrative of every conversation I have with faux libertarians. All insult, no content.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.