A cyber attack against health insurance company is a glowing reminder that large health care organizations are prone to hacking.
Anthem, the country’s second-biggest health insurance provider, is the most recent target of cyber hackers. Over eighty million clients, including the corporation’s own CEO, risk having personal information stolen.
“Anthem was the victim of a complex external cyber attack,” Anthem CEO Joseph Swedish said.
The cyber hackers gained entry to Anthem’s computer system and took information including names, addresses — both street and email — birthdays and Social Security numbers as well as employment information. Income data was accessed as well.
Cindy Wakefield, an Anthem spokeswoman, claimed that the company was “still investigating to see how many client records were impacted. We believe it was tens of millions,”
Vitor de Souza, a spokesman for Mandiant, said it would be “the largest health care break to date.” Mandiant is the cyber security company Anthem hired to evaluate its computer networks.
While Anthem’s computer network stood out because of the number of patient records involved, it’s not unusual for cyberhackers to break into computer networks belonging to health care businesses.
“Most of the nation’s hospitals, clinics and physician’s offices do an outstanding job of protecting patient medical data. What is often overlooked is the personal financial and identification information. Cybersecurity is terrific on the former; not so much on the latter,” said Arkady Bukh, a noted criminal defense attorney in New York who has represented a Who’s Who of international cyber criminals.
HIPPA rules won’ come into play as no actual medical information was stolen. HIPPA covers the confidentiality and security of patient medical data.
The hackers were not apparently interested in medical data. “The personally identifiable data they took is more valuable than the fact that I stubbed my toe and broke it,” said Tim Eades, CEO of cybersecurity firm vArmour.
Even Anthem’s own associates’ personal information was compromised. Anthem found the breach, and De Souza said that was “good news.Two-thirds of the time Mandiant’s firm responds the victim was notified by somebody else.”
Anthem’s first response in promptly contacting the FBI is a model for other businesses facing similar situations. Speed matters when letting law enforcement know of an intrusion. Cyber-crooks may quickly destroy critical evidence.
Clients whose data has been taken should report any suspected instances of identity theft to the FBI’s Internet Crime Complain Center.
The Anthem break-in pushed the Department of Health and Human Services to start an investigation to determine of Medicare and Medicaid clients were compromised.
According to the Sacramento Bee, Anthem provides:
- Medicaid managed plans,
- Medicare Advantage, and
- Coverage marketed through exchanges created by the Affordable Care Act
Senate Homeland Security Committee Chair Ron Johnson said sites like HealthCare.gov and Medicare.gov were one of the first things he thought of when he heard about the breach. “Certainly, we must make sure our own websites are secure,” Johnson said.
Cyber experts said the attack displays the reason that organizations need strong cybersecurity plans and a skilled IT program to secure clients’ private information.
Groups should have a multi-pronged strategy, including:
- Controlling access
- Antivirus software
- Employee education
- Firewalls, both external and internal
- Phishing filters
According to Modern Healthcare, the cyberattack may prompt other businesses and health care providers to evaluate their IT security. It is an area group have not spent much money growing, about other regulated corporations.
Alan Sager, a Boston University health policy professor, said, “The ability of health care providers to gather information has grown faster than their skills in protecting it.”
“Fare too many groups feel their job is to maximize revenue while protecting patient confidentiality is at the bottom.”