If there was anybody left in California who hadn’t had important personal information already accessed by hackers, there is a good chance they got scooped up in the breach that health insurance giant Anthem Inc. announced on Wednesday.
California's largest for-profit health insurer said the records of 80 million customers and employees were potentially at risk. That included names, Social Security numbers, birth dates, addresses, phone numbers, email addresses and employment information. So far, Anthem does not believe medical records or credit card information was stolen.
Anthem did not say when the hack occurred but the Wall Street Journal reported it was discovered last week. The FBI is investigating. The bureau warned last August that hackers were targeting the healthcare industry. The tip-off was the week before when hackers stole millions of records from Community Health Systems, Inc.
Reuters said the FBI then sent out an alert to the healthcare industry, but not the public at large, that warned: “The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).” Anthem and its security adviser said the hackers were probably operating from China.
That warning came about four months after an earlier FBI warning to the industry that its security sucked compared to other sectors of the economy.
All of Anthem’s plan/brands were affected: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
The second annual “Data Breach Industry Forecast (pdf),” from the credit information services group Experian, predicted bad things ahead for health-related businesses, warning, “Several factors suggest the healthcare industry will continue to be plagued with data breach headlines in 2015.”
Those factors include an increased use of electronic medical records, new wearable technologies, the high value of the information, lax cyber security systems, and the lack of security in doctors’ offices, clinics and hospitals.
This is not a secret within the industry. The report cited a Ponemon Institute survey that found 32% of healthcare organizations were only somewhat confident “in the security and privacy of patient data” and 40% were not confident at all.
Perhaps more ominously for Anthem President and CEO Joseph R. Swedish, the report said, “It is clear that security can no longer be viewed as just an IT issue. In 2015, scrutiny of corporate leadership’s management of security may continue to increase in the form of legal and regulatory action after a major incident.”
Swedish, in the company’s statement announcing the breach, said that he too was a victim, having had his information compromised, and joins the other victims in their “concern and frustration.” He “wanted to personally apologize” to everyone “as I know you expect us to protect your information.” Swedish signed the company’s statement announcing the breach with a large sprawling (for just three letters), “Joe.”
Now that Anthem knows it has a security problem, the company said it has “retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.”
That landscape is a bit bleaker now than it was last August.