Anthem Inc. suffered a massive data breach as hackers broke through its defenses and stole account information from as many as 80 million of the company’s clients.
A statement released by Anthem CEO, Joseph Swedish, states that Anthem’s own associates’ personal information – including his own – was accessed during this security breach.
“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,“ said Swedish.
For customers of Anthem, the company has established a website where they can find information concerning the data breach. There is also a toll-free number for current and former members to call, 877-263-7995.
Customers whose information has been stolen should report suspected identity theft to the FBI’s Internet Crime Complaint Center.
It is yet unknown how hackers obtained access to Anthem’s systems and the company is actively working with the FBI in an investigation. What is known though is that the hack looks to be very sophisticated.
According to Cindy Wakefield, an Anthem spokeswoman, the affected database contained records for approximately 80 million individuals, but the company is still investigating to determine how many individuals were impacted by the cyber attack. At this point, the company believes the number is in the tens of millions.
Cyber Attacks Are Expensive
Unfortunately, for Anthem Inc., this is not the first time the company has been the victim of a data breach. The company was formerly known as WellPoint Inc. and formed when Anthem Insurance purchased WellPoint Health Networks in 2004. In 2014 WellPoint officially changed its corporate name to Anthem Inc.
In 2013, WellPoint found itself on the receiving end of HIPPA fines totaling nearly $2 million after exposing hundreds of thousands of ePHI (Protected Health Information). The HHS Office for Civil Rights’ report on WellPoint indicated a security weakness in an online application database, which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the internet.
These deep fines are not the only costs health care providers must be concerned about. Last year the Sans Institute Reading Room published a report titled, “Health Care Cyberthreat Report, Widespread Compromises Detected, Compliance Nightmare on the Horizon.” It references the 2013 Ponemon Cost of a Data Breach report, which outlines a number of expenses related to a breach such as:
- Incident Handling
- Victim Notification
- Credit Monitoring
- Projected Lost Opportunities
According to the SANS report, these issues cost health care organizations globally in the range of $233 per compromised record. Additional recovery actions such as legal actions, new security control investments, extended credit protection services for victims and other related costs, actually push the cost much higher—amounting to an astronomical $142,689,666 in the case of the WellPoint incident. In addition to these remediation costs, there are also other concerns such as potential fallout in stock prices and the intangible costs of brand damage when word gets out about a company’s missteps.
Anthem Inc. Will Not Be The Last Cyber Attack
The Anthem cyber attack is the largest data breach to be disclosed by a health-care company and it is one in a long line of breaches that continue to have a deep and negative impact on the global economy.
2014 saw massive cyber attacks on giants such as Target, JP Morgan, Home Depot, Apple and Sony, to name a few. According to a study from PricewaterhouseCoopers, the number of detected cyber attacks skyrocketed in 2014, up 48 percent from 2013.
A separate report from security software vendor Kaspersky Lab estimates that an average data security incident costs a company $720,000. The report states that successful targeted attacks could cost a company nearly $2.54 million. Nearly every company surveyed by Kaspersky — 94 percent — had some type of cyber security incident in 2014.
The Solution: Unbreakable Data Encryption and Irrefutable Identity Management
As cyber attacks become more frequent, more sophisticated and more expensive to remediate, companies must take steps to protect their valuable data from hackers.
Data encryption and more specifically ‘Zero-Knowledge’ privacy, must be at the foundation of any successful cyber security system.
Essentially, ‘Zero-Knowledge’ privacy means that your data is encrypted and no one, other than you and those you grant permission to, can access your data. With a sound, unbreakable data encryption system in place, any hacker attempting to breach a health care provider’s defenses and access sensitive patient information will be met with nothing more than a useless and undecipherable jumble of numbers and letters.
Along with unbreakable data encryption, an irrefutable identity management system is also critical to a successful cyber security strategy. All too often hackers are able to break through a company’s defenses by stealing usernames and passwords. With this type of attack becoming more common, it is wise for companies to utilize multi-factor authentication. This type of authentication can consist of a number of different options, such as biometric login. This way a company can always be sure that the person attempting to access valuable data is who they say they are.
As hackers become more creative in the ways they attack, data encryption alone is no longer considered a solution. However, unbreakable data encryption (‘Zero-Knowledge’ privacy) coupled with irrefutable identity management make for a significant barrier against hackers.