Anthem on Wednesday said unknown attackers broke into its network and accessed names, Social Security numbers, dates of birth, addresses, and other personal data belonging to members. It said that no health information appears to have been accessed in the breach.
According to Anthem, the second largest healthcare provider in America, the database that was attacked includes records for approximately 80 million people. “Of that, we haven’t determined the exact number of people affected,” a spokesman said via e-mail.
While this attack may be the largest ever on a healthcare company, it comes as attackers are going after hospitals and healthcare companies with growing frequency. In many cases, according to security experts, they are finding easy targets. But just as sustained attacks on retailers and banks led to improved in security, healthcare may also begin strengthening its protections, too.
“Healthcare has been one of the top three targets for the last three years," says Kevin Epstein, vice president of advanced security and governance at email security security vendor Proofpoint. “The difference is they have been out of the public eye and because of that some organizations have taken a more laissez faire, wait-and-see attitude [toward security]."
Now, he said, breaches like the one at Anthem are a “scathing indictment of how at a board level, security has not been a crucial issue to date.”
With healthcare data increasingly being digitized, stored, accessed, and shared electronically, attackers have many more opportunities to go after it than before. Often, according to security experts, the data is easier to get at than sensitive information stored by financial services companies or retailers because many of the organizations digitizing health data aren't savvy enough about preventing hacks.
The Anthem hack is the second major incident involving a healthcare organization in recent months. In August, Community Health Systems, a large health network based in Franklin, Tenn., reported in a regulatory filing that hackers had broken into systems and accessed personal data belonging to 4.5 million individuals.
What's more, a chronicle of data breaches maintained by the Privacy Rights Clearinghouse shows that there have been at least 78 publicly reported data breaches involving healthcare organizations since January 2014. A survey by PricewaterhouseCoopers (PwC) last year showed healthcare organizations reporting a 60 percent increase in detected intrusions in 2014 compared to the year before, with financial losses from such incidents soaring 282 percent during the same period.
In 2014, breaches in the medical and healthcare industry accounted for nearly 43 percent of all data breaches – higher than any other industry, according to the Identity Theft Resource Center. It marked the third year in a row where breaches in the healthcare sector topped all other industries.
Yet, the trend has garnered little of the attention that the breaches at companies such as Sony Pictures, Target, and Home Depot have received. Those attacks, to be sure, have been spectacular in scope and immensely costly for the companies involved.
But from a consumer impact perspective, cyberattacks on healthcare organizations are more troubling because of the kind of data involved.
Unlike many retail breaches, which typically involve loss of credit and debit card account information, a majority of breaches in the healthcare sector involve information that can be used to forge identities and to commit healthcare fraud. In the case of Anthem, no protected health information appears to have been accessed. But the information that was stolen – Social Security numbers, dates of birth, addresses and the like – is enough to commit identity theft on an unprecedented scale.
“It is a nightmare,” said Jaime Blasco, vice president and chief scientist at security firm AlienVault. “If the attackers had access to names, birthdays, addresses, and Social Security numbers, it means that information can be easily used to carry out identity theft schemes,” he said in an e-mail. “It means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts.”
PwC, like many others, says that criminals are targeting healthcare providers and payers simply because of how valuable their data is compared to other data sets.
“A health record often comprises a full complement of information – financial, medical, family, and personal – that can be used to construct a complete identity,” the firm noted in its report last year. A complete record, containing health insurance credentials can fetch up to $1,000 in the black market compared to stolen payment card data which typically fetch about $1 a piece, PwC notes.
Ron Sadowski, director of technology solutions at RSA, the security arm of EMC Corp., said what’s going on in the healthcare sector fits a longstanding pattern.
The mother lode of personal data held by healthcare companies provides the motive that hackers need while the ongoing migration of health data to an Electronic Health Records system provides them the opportunity, he said. “When you look at any crime, it requires motive and opportunity."