Hackers broke into the databases of Anthem Inc., the second-largest health insurer in the U.S., and stole up to 80 million customers’ personal information.
The data includes current and former customers’ names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, Anthem president and CEO Joseph Swedish wrote in a note sent to customers.
There is no evidence at this time that credit card or medical information such as claims, test results or diagnostic codes were targeted or stolen.
Anthem is working to close the vulnerability and has retained security firm Mandiant to evaluate its systems and identify solutions. It is also working with the FBI on the breach.
Hackers hit several hospitals in 2014, and news of the Anthem breach sparked scathing comments from cybersecurity experts.
“Yet once again we have another breach at a huge institution that has failed its customers,” Richard Blech, CEO of Secure Channels, told TechNewsWorld. “Anthem is huge and has massive resources available to protect itself and all of its consumer records, and keep its sensitive data fully protected.”
The breach “is inexcusable, as these types of breaches have reached epidemic proportions,” Blech said. Anthem “should have been prepared and this should never have occurred.”
Anthem “hasn’t yet shared how long they were compromised and when they first discovered the breach,” Tim Erlin, director of IT security and risk strategy, CTO of Tripwire pointed out.
Fallout From the Anthem Breach
“Expect to see a flood of phishing emails disguised as notifications from Anthem,” Stu Sjouwerman, CEO of KnowBe4, told TechNewsWorld. Corporate HR and finance departments “are likely targets along with consumers.”
The information stolen “can be easily used to carry out identity theft schemes,” warned Jaime Blasco, VP and chief scientist of AlienVault.
Cybercriminals will be able to buy and use it to “drain your bank account, open new credit, telephone, or utility accounts, and even obtain medical care using your information,” Blasco told TechNewsWorld.
Consumers should freeze their credit reports with the three major credit bureaus: Experian, Equifax and Transunion, recommended Dwayne Melancon, CEO of Tripwire.
They should also beware of any emails or calls regarding the breach, or letters requesting information, “as they are almost certainly fraudulent,” Melancon told TechNewsWorld.
Suspicious consumers can call Anthem at 1-877-263-7995.
Impact on the Precision Medicine Act
In January, the Obama administration announced details for its planned Precision Medicine Initiative, which seeks to set up a database containing the health data of at least one million volunteers to help develop treatments tailored to individuals’ specific characteristics, including their genetic makeup.
Among other things, this will give US$130 million to the National Institutes of Health to set up the foundation for research involving open data sharing, $10 million to the United States Food and Drug Administration to develop high quality curated databases, and $5 million to the Office of the National Coordinator for Health Information Technology, to develop interoperability standards and requirements enabling secure exchange of data across systems.
However, Healthcare.gov, the U.S. federal health insurance exchange website, has leaked users’ personal health information to 14 separate third-party websites. Naked Security explains how this happened.
Furthermore, HealthCare.gov was hacked in July, with the attacker installing malware on a server so it could be used in future cyberattacks.
Given these facts, the Precision Medicine Initiative is “absolutely premature and is a superficial reaction at best, to appease the public,” Secure Channels’ Blech warned. “This is not the type of initiative that should have a do-over.”
New initiatives such as Precision Medicine “should take note ofdata breaches and make sure they put security as a top priority,” Eric Chiu president and co-founder of HyTrust told TechNewsWorld.