Poor security left Anthem customer records exposed

Were millions of records stolen from the healthcare insurance provider encrypted?
Written by Charlie Osborne, Contributing Writer

Lax security is suspected of exposing Anthem's customer records and making them more valuable to hackers, reports suggest.

According to the Wall Street Journal, the healthcare insurance provider did not encrypt the Social Security numbers of both former and current employees -- 80 million records of which were potentially stolen in a crippling cyberattack.

A person familiar with the matter told the publication that no encryption was in place due to a "difficult balancing act" in protecting information -- and making it useful to the company.

The decision not to encrypt the data could hit Anthem hard. If the data was scrambled, the customer records would have been less valuable -- taking time to decrypt and potentially more difficult to access in the first place. The source also said encryption would have "made it harder for Anthem employees to track health care trends or share data with states and health providers." However, encryption makes data management slower, which could have influenced Anthem's decision, if the data was indeed left exposed.

Last week, the healthcare insurance provider discovered a database intrusion which placed up to 80 million former and current customers' data at risk, as well as Anthem employees.

Joseph R. Swedish, President and CEO of Anthem described the data breach as a "very sophisticated external cyberattack." It is believed a stolen employee password was used to access the database.

See also: Anthem hack: Seven ways to protect yourself right now

The company admitted that client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers may have been stolen. However, there is currently no evidence that medical data -- such as diagnostics or test results -- as well as financial information was accessed.

"Anthem's own associates' personal information -- including my own -- was accessed during this security breach," Swedish said. "We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."

As reported by the LA Times, security technology provider CrowdStrike believes the attack is reminiscent of other campaigns conducted by Chinese hacking group Deep Panda. CrowdStrike's vice president of intelligence, Adam Meyers, says the firm's team has a "a medium to high degree of confidence" that the hacking group is involved.

"We've seen Deep Panda target healthcare before and they have in the past spoofed domains to look like healthcare providers," Meyers told the publication. "It would definitively make them the likeliest candidate for this kind of activity."

FireEye's Mandiant team is currently assisting Anthem in conducting forensics and analyzing the firm's network security.

"Fortune 500 companies continue to spend millions of dollars on network perimeter firewalls, intrusion prevention and host level security technologies, but, as the Anthem, Sony, Target and J. P. Morgan breaches illustrate, the bad actors continue to get in," Carl Wright, general manager of TrapX and former CISO of the US Marines told ZDNet.

"Even more concerning, cyber criminals are now going after health care records because they hold up to ten times more value on the black market over simple credit card numbers. Unlike a credit card that can be quickly cancelled and reissued, medical heath records contain social security numbers, personal addresses, medical conditions and contact information on other family members. This is information that can be used to steal someone's entire identity."

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards