Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anthem's Historic Data Breach: What We Still Don't Know 2 Years Later (axios.com)

Posted by msmash on from the holding-accountable dept.

In February 2015, health insurer Anthem said its database had been compromised, exposing personal information for 78.8 million people, including 60 million to 70 million of its current and former customers and employees. Two years later, much of how it happened, who did it, and what consequences Anthem will face remain unanswered. From a report: Anthem has not disclosed the value of its cyber insurance policy, which defrays some of the costs. The hackers were most likely working on behalf of a foreign government. Many security experts believe it was China, but that has not been proven yet. The FBI would not comment on the pending investigation. It's unclear if Anthem will face a federal penalty. It's by far the largest health care data breach, and the Department of Health and Human Services has imposed fines in the past. We don't know for sure that Anthem was fully protected from this type of attack, and a separate federal agency that had a contract with Anthem previously said the insurer did not have controls in place "to prevent rogue devices...from connecting to its networks." Class-action lawsuits are still pending, and fact-finding discovery ended in December. Anthem could escape big damages if people can't show concrete harm.

25 comments

  1. with this admin in place by TheGratefulNet · · Score: 1, Insightful

    ie, the US president and how he hates 'regulations', I expect nothing to happen to the company. we have to 'protect' companies, afterall, they are all too big to fail, in the cheeto benito's eyes.

    little guys don't matter. for the next 4 years, we'll see nothing BUT this kind of lack of caring and lack of regulation. no penalties, either.

    but hey, the conservates are STIGGINIT to us. yay conservatives!

    --

    --
    "It is now safe to switch off your computer."
    1. Re:with this admin in place by operagost · · Score: 1

      So what did Obama do about this, again?

      Oh, I know-- totally helpless with that obstinate Republican Congress. Yup, they stole his phone and his pen.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    2. Re:with this admin in place by Anonymous Coward · · Score: 0

      Actually, that idiot Obama is the one who forced the health care industry to make everything available online, allowing it to be hacked. Before then, you would have had to break into multiple locations in multiple states to hack my physical medical records. We should have been given a choice as to if we wanted all of our information scanned and put online. I *liked* having it only in dead tree format.

  2. Anthem + OPM = Blackmail by laughingskeptic · · Score: 1

    Disparities between OPM records and medical records (for instance married persons being treated for venereal disease) provides intelligence blackmail targets.

  3. What we still don't know... by FrankSchwab · · Score: 4, Interesting

    As someone who was affected by this breach, I'll tell you what I still don't know.
    I don't know what information about me and my family was disclosed. I don't know whether they got my name and account number, the list of payments they've made, the list of diagnostics codes for each of those payments. or what. When I called to find out, the answer was "our public statements are all the information that I have to give you". Basically, the bad guys know what they got, and Anthem won't tell me.
    It sucks feeling so powerless about control of personal information.

    --
    And the worms ate into his brain.
    1. Re:What we still don't know... by Anonymous Coward · · Score: 0

      It sucks feeling so powerless about control of personal information.

      Sorry man - nobody deserved to get hit by that.

      What also sucks about it is also that medical care is one of the cases where you can't exactly avoid participating. With most of the stupid IoT shit I can just not use it, and let the world go its own way. With medical care, quite often you don't have much of a choice. And any more, the medical system will not treat you if you are not willing to be placed into their online, internet-connected systems. You can't say, "Look, just let me pay you here on the spot in cash and don't enter me into your online record database".

    2. Re:What we still don't know... by Anonymous Coward · · Score: 0

      I hear ya, I got 1, 2, 3 Bohica'd by VA, OPM, Anthem.

      Here's to you Nancy Pelosi you fucking traitor.
      http://i67.tinypic.com/a32yvp....

      I applied for a name change, having served the military, I think I want an ADDRESS change as well. They ain't paying that. But this way I make their information worthless. Start making them "not know."

  4. Re: Foreign Government? Seriously? by Anonymous Coward · · Score: 0

    Deflect the blame. It's the oldest trick in the book.

  5. wishful thinking by Neuronwelder · · Score: 1

    I hope the people who were hit, were the one's who wanted less Corporate regulation!!

    1. Re:wishful thinking by Anonymous Coward · · Score: 0

      It was government regulation that forced this information to be available online.

  6. Who are those 8+M extra people? by aglider · · Score: 1

    I would like to know who are those 8+M people ("persons") that are neither current not former customers and employees!
    I suspect they also have collected and retained data about prospect-customers, wanna-be employees.
    And I wonder how legal it is!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Who are those 8+M extra people? by Bob+the+Super+Hamste · · Score: 1

      I think you may be correct in the "prospect-customers, wanna-be employees". My wife recently got a letter from a school district she applied to before we were married stating that her personal information had been stolen. We think that the information was kept for 16 or 17 years but is at least 15 years old. Personally I am getting really sick and tired of getting the notifications that organization X has had a data breach and as such I will be granted 1 free year of credit monitoring by shit company Y that I already have 5 concurrent monitors from. In a case like the one with my wife they had no reason to still be holding on to that information and should have disposed of it long ago, smells like negligence to me. In the case of the target breach where there were tons of places that had they simply followed basic system security procedures they could have stopped it so again smells like negligence. The problem is that there aren't any real consequences for these companies. Make it so that if you are negligent like in these examples that you have actual damages to pay to individuals. Even making it some value like $100 per individual would go a long way to seeing that proper measures are taken. Maybe make it $100 for regular data loss but losing something an individual's SSN or partial SSN (the last 4 digits are the unique ones the rest can be figured out fairly reliably) it then goes up to $1000 and 10 years of credit monitoring since far too many institutions feel they need SSNs and treat them as the magic number to uniquely identify a person across systems.

      --
      Time to offend someone
  7. The only way this is going to stop by Anonymous Coward · · Score: 0

    The expectation that each and every organization has to collect all possible relevant and irrelevant data from customers - has to end.

    And sheeple meekly sharing all their data. When my dentist wants my SSN, irrelevant medical history, Facebook ID, shoe size and driver's license number, I say no.

    Laws, regulations, enforcement, audits, firewalls - data wants to be free, and it will happen, sooner or later.

    1. Re:The only way this is going to stop by CaptainDork · · Score: 1

      Yeah, privacy is like pulling teeth.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:The only way this is going to stop by bondsbw · · Score: 1

      Government identifiers like SSN and DL number need to be replaced. Even then, they should never be used (directly) for non-government purposes.

      We have much better options today. We need to start using them.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  8. Re:Foreign Government? Seriously? by Anonymous Coward · · Score: 0

    fart

  9. SSN forever by Anonymous Coward · · Score: 0

    Shortly after the breach was announced I called and ask them to delete my SSN. They said they could not. But they confirmed some of their customers do not have an SSN on file, they just didn't know how to delete my SSN. I even offered to give them my driver's license # to replace it. Useless tools.

  10. Class-action lawsuits are still pending by NoSalt · · Score: 1

    Ummm ... so does this mean I can sue the federal government (specifically the OPM) for allowing the Chinese to steal my personal information???

  11. Re: Foreign Government? Seriously? by Anonymous Coward · · Score: 0

    It makes me sick to see all the -1's on the accurate comments. Slashdot should come up with a new tagline instead of "news for nerds". News for libtards sounds better and more accurate.