Close
ThinkAdvisor

Life Health > Health Insurance

Benner on tech: Anthem

X
Your article was successfully shared with the contacts you provided.

Anthem (NYSE:ANTM), the nation’s second-largest health insurer, said last night that it was the victim of an external cyberattack. The FBI and security researchers are still working to figure out the scope of the attack, but they’ve been able to confirm that hackers got into a database that had up to 80 million past and present customer records, as well as records of employees.

No one is yet sure what was taken, but Anthem suspects that the criminals got names, addresses, email addresses, employment-related information and dates of birth. But there’s a lot we don’t know. No credit card data is believed to have been stolen. No medical records — including test results, doctor information or insurance claims — are believed to have been stolen. But this hasn’t been confirmed. No one is sure who attacked the system. No one is sure how much this will cost Anthem in the end.

I spent the night on the phone with security researchers who are figuring out the scope of the attack. They work with a health-care-focused, information sharing security organization called the National Health Information Sharing and Analysis Center, or NH-ISAC. I’ve written about this group before, which is trying to beef up the industry’s cyber defenses:

Most of the industries that are considered part of the country’s critical infrastructure have an ISAC, such as aviation (A-ISAC), defense (DIB-ISAC) and financial services (FS-ISAC). These groups were created during the past decade or so as a way to let companies in a given sector share information about data breaches. Financial services, which have taken security seriously for longer than most of corporate America, started its ISAC in 1999. The health-care ISAC came much later, opening in 2010.

They say that it’s too early to know how big the breach is, but that it has the potential to be twice as large as the Target hack. It was first detected a week ago. Anthem has a website and hotline customers can use as resources. Anthem customers received emails last night saying that they will get free identity repair and credit monitoring services.

Health care is a particularly enticing target for hackers because it involves a huge web of companies that all have access to particularly sensitive data. This breach should be taken very seriously amid the current movement to digitize records, especially health records — any electronic file that’s attached to the Internet can be breached.

The big health insurers and other health care service providers are all very worried about suppliers that have access to their networks. That could include everyone from a blood testing lab to a hospital to a company that washes uniforms for a hospital to a records and archival company.

One security vendor I spoke with said that one of his clients, a big health care company, has 15,000 suppliers that have access to its network. It can only afford to audit 12 of those suppliers a year and it costs about $150,000 to conduct each audit. Checking all of the suppliers would cost about $2 billion a year.

Right now the big picture is fuzzy, so any “lessons learned” will depend greatly on whether this is malware or an attack strategy that we’ve seen before. Researcher Pierluigi Paganini notes that when Anthem suffered a data breach in 2010 that involved 612,402 customers. It ended up paying the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA privacy rule violations.

See also: WellPoint unit settles with California over data breach.

As this story unfolds, I suspect that we’ll see health care companies spend a lot of money to upgrade security systems over the next three to six months and (given that this involves patient health records) we could see some proposed legislation too.

Correction: An earlier version of this article gave an incorrect value for the reported estimated cost of auditing the network security of all of the health care company’s suppliers. The total estimated cost would be about $2 billion per year.