The data breach at Anthem, one of the country’s most prominent health insurers, is thought to be the largest healthcare data breach in history by a wide margin. The insurer is reporting that the breach affecting 80 million people was traced to the theft of an administrator’s login key and password.
The information stolen from the insurer giant includes names, birthdays, medical identifications, Social Security numbers, street addresses, e-mail addresses, and employment information, including income data, Anthem announced. The compromised database contained up to 80 million customer records. Anthem said the breach resulted from a “very sophisticated external cyberattack,” and initial suspicions fell on China. The data were not encrypted.
Formerly known as Wellpoint, Anthem is the second-largest health insurer in the United States. The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Amerigroup, and Healthlink.
Anthem’s investigation determined the hackers somehow obtained the credentials of five tech workers, possibly through a “phishing” scheme that could have tricked a worker into unknowingly revealing a password or downloading malicious software, said spokeswoman Kristin Binns. The company found unauthorized data queries with similar hallmarks as early as Dec. 10, and they continued sporadically until Jan. 27. Attempts also might have been made earlier in 2014, she said.
Anthem officials discovered the breach itself and announced it only a few days afterward. That timetable is not typical, and it shows that companies are learning the value of database monitoring and disclosing a breach immediately, says Ken Westin, a security analyst for Tripwire, a company in Portland, OR, that provides cyber security services. Members of the Anthem staff reported that they discovered the breach when a system administrator saw that his login credentials were being used by someone else to access the system.
“Once hackers are able to compromise a few high-level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial,” Westin explains. “This would be where the sophisticated malware that is being reported by Anthem would be utilized. If the malware was designed specifically for this attack, it would evade most anti-virus products.”
A key weakness is that it appears there were no additional authentication mechanisms in place beyond the administrator’s login and password or key to prevent access to the entire data warehouse, Westin says. Anthem’s primary security sin might not have been the lack of encryption, but instead improper access controls, he says.
Encryption is always advised for protecting data even when a system is breached, but Westin points out that if the attackers had administrator-level credentials, encryption would have been moot anyway. The same credentials that got the hackers into the system would allow them to decrypt the data. “The Anthem case also shows the importance of monitoring database activity,” Westin says. “If the admin had not noticed his credentials were being used, it may have taken longer for Anthem to respond, and additional data could have been compromised.”