[BreachExchange] New report: In Anthem breach, foreign hackers took advantage of common security gaps

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 9 18:58:07 EST 2017


http://www.fiercehealthcare.com/it/anthem-breach-foreign-
hackers-took-advantage-common-security-gaps

Investigators believe perpetrators of the 2015 Anthem hack that exposed
personal records of more than 78 million people may have been acting on
behalf of a foreign government, exploiting weaknesses in the insurer’s
system that are commonplace within the industry.

Investigators determined the identity of the hacker with “high confidence,”
and concluded with “medium confidence” that the attacker was working on
behalf of a foreign government, according to a report (PDF) from the
California Department of Insurance. Although the report did not identify
the attacker, officials have previously linked the attack to a Chinese
cyberespionage group called Black Vine that sought information on how other
countries handle medical care.

California Insurance Commissioner Dave Jones called on the federal
government to help insurers facing cyberattacks from foreign governments.

“Insurers and regulators alone cannot stop foreign government assisted
cyberattacks,” Jones said in an announcement. “The United States government
needs to take steps to prevent and hold foreign governments and other
foreign actors accountable for cyberattacks on insurers, much as the
president did in response to Russian government sponsored cyber hacking in
our recent presidential election.”

Although the report found Anthem took “reasonable measures” to protect
patient information prior to the breach, the attacker targeted specific
weaknesses within the system. On Feb. 18, 2014, an employee within an
Anthem subsidiary opened a phishing email, allowing the attacker to gain
remote access to the computer and then move laterally across at least 50
accounts and 90 systems, including the insurer’s enterprise data warehouse
where the bulk of the information was stolen.

Investigators noted that “these deficiencies were not, in our experience,
uncommon to companies comparable to Anthem in size and scope,” adding that
Anthem has since implemented two-factor authentication on all remote access
devices and invested in additional monitoring capabilities. Investigators
added that Anthem’s cybersecurity team responded immediately once it
discovered the breach, informing law enforcement and cutting off access to
the attacker within three days.

Investigators added that new controls implemented since the breach was
discovered should improve how Anthem detects and respond to any future
attacks.

“Anthem takes the security of its information and the personal information
of consumers very seriously and is committed to protecting the data of its
customers," Anthem spokesman Daniel Ng said in an emailed statement to the
Associated Press.

Cyberattacks against healthcare companies have evolved since the Anthem
breach, as providers and insurers have seen an increase in ransomware
attacks. Cyberattacks against the healthcare industry continued throughout
2016, prompting Department of Health and Human Services' Office of the
Inspector General to investigate how providers are protecting patient
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170109/3e218b58/attachment.html>


More information about the BreachExchange mailing list