Anthem medical data breach

Last updated

The Anthem medical data breach was a medical data breach of information held by Elevance Health, known at that time as Anthem Inc.

Contents

On February 4, 2015, Anthem, Inc. disclosed that criminal hackers had broken into its servers and had potentially stolen over 37.5 million records that contain personally identifiable information from its servers. [1] On February 24, 2015 Anthem raised the number to 78.8 million people whose personal information had been affected. [2] According to Anthem, Inc., the data breach extended into multiple brands Anthem, Inc. uses to market its healthcare plans, including, Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare. [3] Healthlink says that it was also a victim. [4] Anthem says users' medical information and financial data were not compromised. Anthem has offered free credit monitoring in the wake of the breach. [5] Michael Daniel, chief adviser on cybersecurity for President Barack Obama, said he would be changing his own password. [6] According to The New York Times, about 80 million company records were hacked, and there is a fear that the stolen data will be used for identity theft. [7] The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data. [8] [9]

Theft of the data

The data was stolen over a period of weeks the month before the data breach was discovered. [10]

Because no medical information was compromised, Anthem was not required by law to encrypt the data. [11] However, Anthem faced several civil class-action lawsuits, which were settled in 2017 at a cost of $115 million. Anthem did not admit any wrongdoing in the settlement. [12]

Data from the attack is expected to be sold on the black market. [13]

Impact

Persons whose data was stolen could have resulting problems about identity theft for the rest of their lives. [14] Anthem had a US$100 million insurance policy for cyber problems from American International Group. [15] One report suggested that all of this money could be consumed by the process of notifying customers of the breach. [15]

Responses

Anthem hired Mandiant, a cybersecurity firm, to review their security systems and advised people whose data was stolen to monitor their accounts and remain vigilant. [16] [17]

The theft of the data raised fears generally about the theft of medical information. [18] [19] A writer from Harvard Law School suggested that this data breach might spark reform of security practices and government data safety regulation. [20]

An investigation conducted by several state insurance commissioners blames the breach on an attacker whose identity was withheld, and claims that the breach was likely ordered by a foreign government whose name was withheld. [21] It also concluded that Anthem had taken reasonable measures to protect its data before the breach and that its remediation plan was effective at shutting down the breach once it was discovered. [21] It also marks the starting date of the breach as February 18, 2014. [21] The lead investigator was the Indiana Department of Insurance (DOI) -- Anthem's principal regulator, because Anthem is headquartered in Indiana. [22] The Indiana DOI hired independent auditors to conduct a security assessment at Anthem, which concluded, "While deficiencies within Anthem’s cybersecurity posture were noted by the Examination Team, these deficiencies were not, in our experience, uncommon to companies comparable to Anthem in size and scope. While the pre-breach deficiencies impacted Anthem’s ability to reduce the likelihood of and quickly detect the Data Breach, the controls implemented subsequent to the Data Breach should improve Anthem’s ability to detect future breaches and enable Anthem to respond more effectively to a future attack than was the case in this instance." [22]

Federal regulators also conducted an investigation of the Anthem data breach, resulting in a $16 million settlement between Anthem and the Department of Health and Human Services (HHS) -- by far the largest HHS data breach settlement. [23] An HHS Director overseeing the investigation said, "The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history. Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information." [23] The HHS settlement also required Anthem to perform a risk assessment and correct any identified deficiencies in its cybersecurity, with HHS oversight of Anthem's progress. [23]

Approximately 100 private class action lawsuits were filed against Anthem over the data breach and consolidated in California federal court, in front of Judge Koh, a respected authority in data breach litigation. [24] After contested briefing over who should lead the litigation efforts, Judge Koh appoints Eve Cervantez of Altshuler Berzon and Andy Friedman of Cohen Milstein as co-lead counsel, and appointed Eric Gibbs of Gibbs Law Group and Michael Sobel of Lieff Cabraser to head a Plaintiffs' Steering Committee. [25] In 2017, Anthem agreed to settle the litigation for $115 million, the largest ever data breach settlement at the time. [26] The attorneys requested $38 million in fees for their work on the case, but Judge Koh slashed the fee request, finding that only $31 million in fees were merited. [27]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been statutorily defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits, and perhaps to cause other person's disadvantages or loss. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

<span class="mw-page-title-main">Health Insurance Portability and Accountability Act</span> United States federal law concerning health information

The Health Insurance Portability and Accountability Act of 1996 is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends, or other individuals not a part of a covered entity.

<span class="mw-page-title-main">Equifax</span> American multinational consumer credit reporting agency in Atlanta, Georgia

Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

Premera Blue Cross is a not-for-profit Blue Cross Blue Shield licensed health insurance company based in Mountlake Terrace, Washington, United States. It sells health insurance plans under the Blue Cross license in Washington state except Clark County and under both of the Blue Cross and Blue Shield licenses in Alaska.

<span class="mw-page-title-main">Data breach</span> Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

<span class="mw-page-title-main">Elevance Health</span> American healthcare company

Elevance Health, Inc. is an American health insurance provider. Prior to June 2022, Elevance Health was named Anthem, Inc. The company's services include medical, pharmaceutical, dental, behavioral health, long-term care, and disability plans through affiliated companies such as Anthem Blue Cross and Blue Shield, Empire BlueCross BlueShield in New York State, Anthem Blue Cross in California, Wellpoint, and Carelon. It is the largest for-profit managed health care company in the Blue Cross Blue Shield Association. As of 2022, the company had 46.8 million members within its affiliated companies' health plans.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

Identity theft involves obtaining somebody else's identifying information and using it for a criminal purpose. Most often that purpose is to commit financial fraud, such as by obtaining loans or credits in the name of the person whose identity has been stolen. Stolen identifying information might also be used for other reasons, such as to obtain identification cards or for purposes of employment by somebody not legally authorized to work in the United States.

Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

Medical data, including patients' identity information, health status, disease diagnosis and treatment, and biogenetic information, not only involve patients' privacy but also have a special sensitivity and important value, which may bring physical and mental distress and property loss to patients and even negatively affect social stability and national security once leaked. However, the development and application of medical AI must rely on a large amount of medical data for algorithm training, and the larger and more diverse the amount of data, the more accurate the results of its analysis and prediction will be. However, the application of big data technologies such as data collection, analysis and processing, cloud storage, and information sharing has increased the risk of data leakage. In the United States, the rate of such breaches has increased over time, with 176 million records breached by the end of 2017. There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals.

In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting personnel records. Approximately 22.1 million records were affected, including records related to government employees, other people who had undergone background checks, and their friends and family. One of the largest breaches of government data in U.S. history, information that was obtained and exfiltrated in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses. State-sponsored hackers working on behalf of the Chinese government carried out the attack.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

<span class="mw-page-title-main">Protecting Cyber Networks Act</span>

The Protecting Cyber Networks Act is a bill introduced in the 114th Congress by Rep. Devin Nunes (R-CA), chairman of the House Permanent Select Committee on Intelligence. The legislation would allow companies and the government to share information concerning cyber threats. To overcome privacy concerns, the bill expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

ThreatConnect is a cyber-security firm based in Arlington, Virginia. They provide a Threat Intelligence Platform for companies to aggregate and act upon threat intelligence.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

The Dark Overlord is an international hacker organization which garnered significant publicity through cybercrime extortion of high-profile targets and public demands for ransom to prevent the release of confidential or potentially embarrassing documents.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

References

  1. Riley, Charles (4 February 2015). "Insurance giant Anthem hit by massive data breach". CNN Money. Archived from the original on 19 February 2015. Retrieved 20 February 2015.
  2. Mathews, Anna (24 February 2015). "Anthem: Hacked Database Included 78.8 Million People" . Wall Street Journal . ProQuest   1657641740. Archived from the original on 26 July 2020. Retrieved 4 May 2020.
  3. "Data Breach at Health Insurer Anthem Could Impact Millions — Krebs on Security". KrebsOnSecurity. Archived from the original on 2021-05-16. Retrieved 2015-02-21.
  4. "Healthlink homepage". healthlink.com. Center of page; even the Anthem page doesn't reference Healthlink. Archived from the original on 15 February 2015. Retrieved 10 February 2015.
  5. Pepitone, Julianne. "Anthem Hack: Credit Monitoring Won't Catch Medical Identity Theft". NBC News. Archived from the original on 5 February 2015. Retrieved 5 February 2015.
  6. Michael A Riley (5 February 2015). "Chinese State-Sponsored Hackers Suspected in Anthem Attack" . Bloomberg.com. Archived from the original on 2017-02-25. Retrieved 2017-03-05.
  7. Abelson, Reed; Goldstein, Matthew (5 February 2015). "Anthem Hacking Points to Security Vulnerability of Health Care Industry" . The New York Times. Archived from the original on 7 August 2019. Retrieved 1 March 2017.
  8. Weise, Elizabeth (5 February 2015). "Massive breach at health care company Anthem Inc". USA Today . McLean, VA: Gannett. ISSN   0734-7456. Archived from the original on 21 February 2015. Retrieved 20 February 2015.
  9. Mathews, Anna; Yadron, Danny (4 February 2015). "Health Insurer Anthem Hit by Hackers - WSJ" . Wall Street Journal . ProQuest   1651251003. Archived from the original on 18 February 2015. Retrieved 20 February 2015.
  10. Zetter, Kim (5 February 2015). "Health Insurer Anthem Is Hacked, Exposing Millions of Patients' Data". Wired. Archived from the original on 21 February 2015. Retrieved 20 February 2015.
  11. Whitney, Lance (6 February 2015). "Anthem's stolen customer data not encrypted". CNET. Archived from the original on 13 March 2015. Retrieved 20 March 2015.
  12. Freeman, Liz (26 June 2017). "Anthem settles a security breach lawsuit affecting 80M". USA Today. ProQuest   1913564990. Archived from the original on 1 December 2017. Retrieved 20 November 2017.
  13. Murphy, Tom; Bailey, Brandon (6 February 2015). "Why hackers are targeting the medical sector". Boston Globe. Associated Press. Archived from the original on 22 February 2015. Retrieved 20 February 2015.
  14. Rudavsky, Shari (7 February 2015). "Anthem data breach could be 'lifelong battle' for customers". IndyStar. Archived from the original on 13 March 2015. Retrieved 20 February 2015.
  15. 1 2 Osborne, Charlie (12 February 2015). "Anthem data breach cost likely to smash $100 million barrier". ZDNet . Archived from the original on 15 February 2015. Retrieved 20 February 2015.
  16. Popken, Ben; Grant, Kelli (6 February 2015). "Anthem Breach: What Should I Do Right Now?". NBC News. Archived from the original on 20 February 2015. Retrieved 20 February 2015.
  17. McNeal, Gregory S. (4 February 2015). "Health Insurer Anthem Struck By Massive Data Breach". Forbes. Archived from the original on 7 February 2015. Retrieved 20 February 2015.
  18. Terhune, Chad (5 February 2015). "Anthem hack raises fears about medical data". Los Angeles Times . Los Angeles. ISSN   0458-3035. Archived from the original on 2 March 2015. Retrieved 20 February 2015.
  19. Abelson, Reed; Creswellfeb, Julie (6 February 2015). "Data Breach at Anthem May Forecast a Trend" . The New York Times . New York. ISSN   0362-4331. Archived from the original on 9 February 2015. Retrieved 20 February 2015.
  20. Terry, Nicholas (7 February 2015). "Time for a Healthcare Data Breach Review?". Bill of Health. Petrie-Flom Center for Health Law Policy at Harvard Law School. Archived from the original on 16 May 2020. Retrieved 20 February 2015.
  21. 1 2 3 "Investigation of major Anthem cyber breach reveals foreign nation behind breach" (Press release). Sacramento, California: California Department of Insurance. 2017-01-17. Archived from the original on 2017-02-17. Retrieved 2017-02-16.
  22. 1 2 "Multistate Targeted Market Conduct and Financial Examination of Anthem Insurance Companies" (PDF). National Association of Insurance Commissioners. Archived (PDF) from the original on 2019-02-17. Retrieved 8 February 2019.
  23. 1 2 3 Telchert, Erica (16 October 2018). "Anthem to pay $16M in record data breach settlement". Modern Healthcare. Archived from the original on 23 March 2023. Retrieved 8 February 2019.
  24. Trade, Steven. "Blue Cross Entities Want Out Of Anthem Data Breach MDL". Law360. Archived from the original on 9 February 2019. Retrieved 8 February 2019.
  25. "Plaintiffs' Counsel Announce $115 Million Proposed Class Action Settlement in Anthem Data Breach Litigation". Market Watch. 2017-06-23. Archived from the original on 2019-02-09. Retrieved 8 February 2019.
  26. Pierson, Brendan (23 June 2017). "Anthem to pay record $115 million to settle U.S. lawsuits over data breach". Reuters. Archived from the original on 9 February 2019. Retrieved 8 February 2019.
  27. Andrews, Greg (20 August 2018). "Anthem data-breach judge OKs huge fee award, but not as much as attorneys wanted". Indianapolis Business Journal. Archived from the original on 9 February 2019. Retrieved 8 February 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.