Pierluigi Paganini February 05, 2015

The nation’s second largest health insurer Anthem announced that hackers violated its servers and stolen personal information from all of its business lines

The health insurance provider Anthem has confirmed the data breach that caused the exposure of an unknown number of customer record. The nation’s second largest health insurance provider announced that hackers were able to compromise its systems accessing to an unknown number of records, including complete profiles for individuals.

The Anthem President and CEO, Joseph R. Swedish has released an official statement to its customers:

“Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” states the announcement, which refers to a very sophisticated external cyber attack.

The Anthem CEO Swedish has confirmed that there is no reason to believe that also credit card data nor medical information have been exposed, don’t forget that medical data would include test results and diagnostic codes.CEO Swedish has confirmed that there is no reason to believe that also credit card data nor medical information have been exposed, don’t forget that medical data would include test results and diagnostic codes.

The data breach impacted all Anthem product lines, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

The attackers also accessed employees personal information according to Swedish’s statement. In response to the cyber attack the company immediately informed the FBI and its customers to avoid further cyber attacks, it also hired Mandiant to support the investigation and sanitize the systems.

“The FBI is aware of the Anthem intrusion and is investigating the matter,” said FBI spokesman Joshua Campbell. “Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible,” he said.

Which is the extension of the data breach?

In this phase is it impossible to confirm the number of individuals impacted, but considering that Anthem is the US’s second biggest health insurer with about 70 million people, it is possible that victims are tens of millions.

“With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.” states the company profile.

It is essential in this phase to understand the technique adopted by the threat actors to penetrate the Anthem systems and sanitize the compromised machine once the investigators have identified the alleged malicious agent.

The company has announced that customers whose information was compromised will be contacted directly and offered free credit monitoring and identity protection services.

“Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind. ” continues the announcement.

As usually happens in these cases, journalists dig into the past of the company, they discovered that it’s not the first time that Anthem suffer a data breach. In 2010, before the name was changed to Anthem, WellPoint suffered a data breach that caused the exposure of data belonging to 612,402 customers, in that case the root cause was the lack of security updates for one of their systems.

In 2013 WellPoint agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

Pierluigi Paganini

(Security Affairs – Anthem, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]