[BreachExchange] Details of Anthem's massive cyberattack remain in the dark a year later

[Audrey McNeil]

http://www.modernhealthcare.com/article/20160330/NEWS/160339997


It's been more than a year since health insurer Anthem disclosed what was
by far the largest data breach in healthcare history, yet almost nothing
new is known about the causes, costs and ramifications.

The cyberattack
<http://www.modernhealthcare.com/article/20150204/NEWS/302049928>—in which
hackers stole the names, birthdays, Social Security numbers, home addresses
and other personal information of 78.8 million
<https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf> current and former
members and employees—gave Anthem's reputation a black eye early on. The
company and the industry at large scrambled to do damage control. Consumers
questioned whether Anthem and other healthcare organizations could manage
the volumes of data they had.

But the breach essentially has been treated as a footnote since then.
Anthem's pending acquisition of Cigna Corp.
<http://www.modernhealthcare.com/article/20150724/NEWS/150729899>, other
high-profile
<http://www.modernhealthcare.com/article/20150317/NEWS/150319904>
 healthcare digital attacks
<http://www.modernhealthcare.com/article/20160217/NEWS/160219920>, and time
overshadowed Anthem's large-scale breach. Unresolved legal issues likely
have stifled further disclosure of what is known.

The FBI is still investigating the attack and so far has found no evidence
that Anthem members' data have been sold, shared or used fraudulently, an
Anthem spokeswoman said. Credit card and medical information also allegedly
has not been taken. Anthem provided two years of credit monitoring to
people who were affected.

The source of Anthem's breach has not been identified, although some
reports have linked it to Chinese hackers. The FBI did not respond to a
request for comment.

Anthem executives have not addressed the cyberattack in any quarterly
earnings calls
<http://www.modernhealthcare.com/article/20150429/NEWS/304279980> in the
past year, and the incident has not directly impacted membership or profits
<http://www.modernhealthcare.com/article/20160127/NEWS/301279998>. Costs
and fines associated with the breach presumably total millions of dollars
and could be “significant” beyond Anthem's cybersecurity insurance policy
<http://www.modernhealthcare.com/article/20150224/NEWS/150229954>, but no
hard figures have been issued or estimated
<https://www.sec.gov/Archives/edgar/data/1156039/000115603916000018/antm-2015123110kforq4.htm>.
Anthem's next public call will occur April 27, when the insurer releases
first-quarter finances.

Anthem sent a statement to Modern Healthcare that reads, “At Anthem,
securing our member, provider and client data is a top priority. We
maintain a diligent focus on data security and our information security
program strives to protect, control and maintain the security of our
technology environment.”

Anthem hired cybersecurity firm Mandiant in the aftermath of the hack.
Vitor De Souza, a spokesman at FireEye, the parent company of Mandiant,
said their work with Anthem is confidential under their contractual
obligations.

The National Association of Insurance Commissioners and the Indiana
Department of Insurance also have worked with Anthem, headquartered in
Indianapolis. The NAIC commissioned a “market conduct and financial exam”
of the breach, but the report has not been finished and remains classified.

“Anthem was proactive about addressing this breach and notifying
individuals who may have been affected by it,” Jenifer Groth, a spokeswoman
at Indiana's Department of Insurance, said in a statement.

In a breach as large as Anthem's, the shocking lack of details likely comes
down to the legal process
<http://www.modernhealthcare.com/article/20150223/NEWS/302239977>, said
Sean Curran, a cybersecurity expert at consulting firm West Monroe
Partners. Anthem is facing multiple class-action lawsuits
<http://www.modernhealthcare.com/article/20150206/NEWS/302069967> from
affected health plan customers. The insurer also is trying to dismiss
several counts in a consolidated case that sits in the U.S. District Court
for the Northern District of California.

“It's probably difficult to keep a handle on everything,” Ken Dort, a
partner and cybersecurity expert at Drinker Biddle & Reath in Chicago, said
of Anthem's breach.

However, it appears Anthem would want to disclose more information publicly
given its merger target, Cigna, previously held reservations about the
effect of the data breach. State and federal regulators are conducting an
antitrust review of the transaction, which has been fiercely opposed by
consumer advocates.

“Trust with customers and providers is critical in our industry, and Anthem
has yet to demonstrate a path towards restoring this trust,” Cigna CEO
David Cordani and Board Chairman Isaiah Harris Jr. wrote in a June 21
letter that rejected Anthem's initial advances
<http://www.modernhealthcare.com/article/20150622/NEWS/150629986>. “We need
to understand the litigation and potential liabilities, operational impact
and long-term damage to Anthem's franchise as a result of this
unprecedented data breach as well as the governance and controls that
resulted in this system failure.”

Other insurers have not fared well since Anthem's security failure.
CareFirst <http://www.modernhealthcare.com/article/20150520/NEWS/150529986>
, Excellus <http://www.modernhealthcare.com/article/20150909/NEWS/150909880>
 and Premera
<http://www.modernhealthcare.com/article/20150317/NEWS/150319904>, which
are Blue Cross and Blue Shield affiliates like Anthem, suffered large data
hacks of their own in the past year.

“The insurers have probably so many different legacy systems bolted onto
older systems,” Dort said. “They may not be quite as synchronized as much
as they should be.”

“Security still has its challenges,” added Curran. “We're still living in
the dark ages of what security is.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160330/d29cdda8/attachment.html>