Massive Health Insurance Company Data Breach Points to the Enormity of Global Cybersecurity Challenge
Another scary data breach dominated the news headlines on Thursday, February 5. The nation's second-largest health insurance company, Anthem Inc., had their account information stolen. Initial estimates point to a potential 80 million customer records compromised.
"Anthem was the target of a very sophisticated external cyberattack," said Anthem president and CEO Joseph Swedish in a statement posted on its website.
According to Swedish, "These attackers gained unauthorized access to Anthem's IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
While there are few silver linings in this announcement, Anthem did promise to provide credit monitoring protection to those affected. This statement was offered this to current and former customers:
"Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind."
The trend: who's next?
Target, Home Depot, Sony, and now Anthem have all experienced massive data breaches exposing millions of customer records. Last year, almost all cyber metrics of danger doubled.
Just as in the immediate aftermath of other large data breaches, we don't know all the details surrounding this breach. Stated simply, we don't know what we don't know. Nevertheless, we have plenty of questions.
How did it happen? Did an employee click on a bad link? Was there an insider threat? Who did it? Was this a hacker-group or nation-state? Is there malware involved? How well-prepared was Anthem regarding cybersecurity? What could have stopped this from happening?
What is not in doubt is that this already hit the stock price of the company and will cost millions of dollars to now respond to this situation. Worse than that, the trust of their customers will never be quite the same.
The world now wonders: Who will be next? While we can't answer those questions yet, we do have some immediate takeaways.
Three immediate takeaways
1. The first takeaway from this situation should be the broader realization that these cyberattacks are relentless and facing all global industries. The scale is huge! Any suggestion that cyberdefense is only a top issue for large retailers, or those who use credit cards, or mainly government-focused organizations, is badly mistaken.
The cyberthreat is real and growing. Attacks have been raging against banks for years now, and this large breach against the #2 health insurance provider in the nation will strike an additional level of fear into all insurance companies.
And it should. Significant actions need to be taken immediately by businesses big and small to protect their customers data and the intellectual property of companies.
2. The second takeaway is to recheck the level of protection that is in place in our nation's health system, including hospitals, doctor's offices, insurance companies and more. As mergers and acquisitions thrive in the health sector and as electronic health records are implemented across the nation, is enough being done to protect our data?
Yes - there are many steps being taken by concerned groups to ensure the confidentiality, integrity and availability of our personal health data and private records. But is it enough? In this case, no health records were initially compromised to cause a HIPAA violation, according to the statement. Still, this raises new questions in that area. How close were the health records to being breached?
Could health data breaches undermine the push to centralize records? Only time will tell.
3. Third, we should all takeaway an action to recheck our personal and corporate protections in our own situation. We should never let a crisis go to waste.
We are reminded to ask: Are we following the best practices that have been released following previous data breaches? A few of those security details are available in this piece, but many more are available examples are online.
For all of us, ask questions like: Are end users at your company trained in cyber hygiene and passwords? What steps are being taken by your security teams to defend against cyberattacks? Are you prepared?
In closing, for anyone who is concerned about their personal situation as a result of this Anthem breach, a toll-free number for current and former Anthem (previously Wellpoint) members to call is: 877-263-7995.
