Hackers have turned their attention from retailers and financial records to health insurance and medical records. Anthem reports that up to 80 million records — including those of its employees — may have been exposed in a breach. They didn’t get credit card or banking information, but they got Social Security numbers, addresses, and income data:
Health insurer Anthem says hackers infiltrated its computer network and accessed a swathe of personal information about current and former customers including their incomes and street addresses.
In a statement, Anthem President and CEO Joseph R. Swedish called the cyberattack “very sophisticated.”
The company said credit card information wasn’t compromised and so far it has not found evidence that medical information such as insurance claims and test results was targeted or obtained.
Stolen information did include customers’ names, birth dates, social security numbers, street addresses, email addresses and employment details including income.
The e-mails went out last night, and the message has been reposted at the special website set up by Anthem. CEO Joseph Swedish explained that his own data was compromised in the hack:
Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.
Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.
“State-of-the-art information security systems”? Apparently not, at least not state of the hacking art information security systems. Anthem promises more information on this website, and the FTC website has more support for hacking and identity theft victims.
That seems to be the point of this intrusion, no? Previous hacks hit retailers to access credit card data. Why else would anyone spend the time and trouble to hack into the customer records of a health insurer? Perhaps there might be some potential for extortion, but Anthem says the medical records themselves weren’t accessed.
Corporations are going to have to start taking security a lot more seriously. That means more complicated protocols, better technology, and higher costs to the consumers. In the meantime, it also means a lot less trust and economic damage — which may be the real motive for these hacks in the first place. A theft on this scale could well be state-on-state cyber warfare, and there are at least a few nations that might want to do this kind of damage and have the capacity to succeed at it.
Update: And it appears that my suspicion may have been correct:
Investigators of Anthem Inc.’s data breach are pursuing evidence that points to Chinese state-sponsored hackers who are stealing personal information from health-care companies for purposes other than pure profit, according to three people familiar with the probe.
The breach, which exposed Social Security numbers and other sensitive details of 80 million customers, is one of the biggest thefts of medical-related customer data in U.S. history. China has said in the past that it doesn’t conduct espionage through hacking.
The attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.
Sounds less like an identity-theft risk and more about espionage, but either would create a lot of damage.