Anthem and Post-breach phishing awareness

The Anthem data breach on February 5, 2015 raised the high-water mark on healthcare data breaches. The Anthem breach smashed all previous records, exposing close to 80 million members’ records. It was the largest healthcare data breach ever discovered by a considerable distance. Only a very small number of healthcare data breaches have been reported that have exceeded 2 million records.

In the United States, data breaches impacting the protected health information of patients and health plan members are required to be reported to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). OCR maintains a searchable data base of all healthcare data breaches that have impacted 500 or more individuals. Many of those data breaches were relatively minor; a misdirected batch of emails for example. Not all of those healthcare data breaches required such extensive actions and mitigations as the latest Anthem ‘mega’ breach.

Anthem’s CEO has now established the website “AnthemFacts.com” containing a Frequently Asked Questions document about the data breach, but the media offers plenty of alternative sources of Facts and FAQs.

Previous Largest Healthcare Data Breaches

The previous largest ever healthcare data breach occurred in 2011. The records of 4.6 million active and retired military personnel were reported stolen after back-up tapes of their health records disappeared from a data contractor’s car in San Antonio, Texas.  SAIC, the contractor involved, had no reason to believe the tapes were the target of the theft, or whether the thief even knew what he or she was stealing. (see Records of 4.9 mln stolen from car in Texas data breach ).

The second largest healthcare data breach occurred in 2014. Tennessee-based Community Health Systems experienced an “external criminal cyber-attack” in April and June of 2014 that resulted in the theft of the protected health information of its patients.  CHS’s Media Notice said it had worked closely with Federal law enforcement and believed they were the victim of an “Advanced Persistent Threat” group originating from China.  The HHS database indicates 4.5 million patient records were exposed in that breach.

The third largest healthcare data breach ever reported to OCR by a HIPAA-covered entity affected Advocate Medical Group.  4 million patient records were stolen from the company on July 15, 2013.  The unencrypted patient health records were stored on four laptop computers. It was unclear whether the laptops were stolen for their value or for the data that may have been stored on them.

The lawsuits filed on behalf of the potential victims were dismissed. In order “to claim injury, whether actual or threatened, the plaintiffs must establish it is ‘distinct and palpable’ and ‘fairly traceable’ to the defendant’s actions and that the requested relief would substantially redress the loss.”  (See Illinois court dismisses claims of potential loss from Advocate data breach ). The plaintiffs were unable to provide sufficient evidence to prove that was the case.

Other than the Xerox data breach, which cost the company the State of Texas Medicare contract in 2014, no other healthcare data breach listed on the OCR breach portal has resulted in the theft or exposure of more than two million records.

Healthcare Data Breach Lawsuits

As Forbes magazine recently explained, the number of records stolen in the Anthem cyberattack exceeds the sum of all the healthcare data breaches reported in the previous five years!   Anthem, which fell from its 52-week high stock price of $143.65 to $134.79 today following the announcement of the cyberattack, has already had four class action lawsuits filed against it. (See Cohen and Malad Anthem Lawsuit, Morris v. Anthem, Juliano v. Anthem (Alabama-based), and D’Angelo et. al. v. Anthem )

What all of these lawsuits claim, is the theft of current and former Anthem customers’ electronic protected health information puts plaintiffs and class members at an increased risk of suffering identity theft and fraud.  Specifically, the following data elements:

  • Full names
  • Birthdates
  • Email addresses
  • Employment details
  • Social Security numbers
  • Incomes
  • Home addresses

Anthem only has 34 million current customers and almost 80 million records were exposed. The breach therefore likely affects former customers and other family members included on the health plans.

The lawsuits make much of the fact that the U.S. Department of Health and Human Services’ Office for Civil Rights has previously fined Anthem for using “inadequate safeguards” to protect customer records. The California Attorney General has also taken action against Anthem, and specifically pointed at the fact that the company was storing customers’ Social Security numbers in an unencrypted format. (A 2013 report by the California OAG about 131 separate data breach incidents outlines that 1.4 million Californians would have been protected had their data been encrypted.)  Critics of Anthem have pointed out that the company was previously warned about the potential for breaches of ePHI in an FBI Private Industry Notification dated 8 April 2014 titled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain.”

Anthem is also accused of “failing to provide timely and accurate notice of the Anthem data breach” in violation of state data breach statutes in California, Colorado, Connecticut, Georgia, Kentucky, Virginia, and Wisconsin.

Be Alert for Phishing and Related Scams

While the theft of credit card data may seem harmful, credit monitoring is usually offered and credit card companies quickly re-issue cards that have been stolen in a cyberattack. Most victims of credit card fraud are also reimbursed for any fraudulent charges on their cards. Unfortunately, Social Security numbers are never re-issued. There is also unlikely to be any reimbursement or refunds if identities are stolen and financial losses are suffered.  Customers who have their SSN and personal data stolen are especially vulnerable to scams and face an elevated risk of identity theft and fraud for a lifetime. Anthem will certainly not be offering a lifetime of identity theft protection and credit monitoring services to breach victims.

Anthem services customers in the following states:

California Colorado Connecticut
Georgia Indiana Kentucky
Maine Missouri Nevada
New Hampshire New York Ohio
Virginia Wisconsin

Any company also servicing customers in those states should warn their Customer Service personnel to be on the alert for social engineering scams, possibly by telephone. Once the stolen Anthem data has been sold on, there will likely be many scammers who attempt to gain access to accounts or try to reset password on Anthem members’ other accounts that use their email addresses as their username.

Several reports have already been received of phishing emails claiming to be advising potential victims of how to take advantage of data monitoring offers from Anthem. Security journalist Brian Krebs has already published reports on some of the phishing scams. ( Phishers Pounce on Anthem Breach ).  Krebs refers to Steve Ragan’s Salted Hash article in which he shared an internal memo explaining the data breach was not discovered until an employee noted that their account had been being used without their authorization to perform queries in a database.  Eventually it was determined those queries had been on-going since December 10, 2014, although they were not discovered until January 27, 2015 and not verified until January 29, 2015.

Several news sources have made much of the fact that Anthem’s customers include defense contractors such as Northrop Grumman Corporation and The Boeing Company in Missouri.  Several sources reported to Bloomberg that this attack fits the nature of attacks from the People’s Liberation Army’s Unit 61398; a Shanghai-based hacking group whose members were indicted by Federal prosecutors last year.  If this is proven to be true, the cyberattack may have been conducted for espionage reasons. Data stolen in the attack would therefore be unlikely to be sold on to scammers. However, if that is the case, the data could be used in spear phishing attacks to obtain even more sensitive information on the victims.

Information Age: Can gamification be used to catch phishing scams?
Infosecurity Magazine: Upatre, Dyre Spawn 'Mini-Dyre'

Leave a Reply