Anthem, one of the nation’s largest health insurers, revealed late Wednesday that the personal information of as many as 80 million customers and employees was stolen in a “sophisticated” cyber attack.
According to multiple reports, the purloined information included names, Social Security numbers, birthdays, addresses, email addresses and employment information. The insurer said the data breach was detected on January 29 and that the FBI is now investigating.
This breach is yet another reminder that criminals are relentless in their pursuit of information. Increasingly, they are going after medical information, which is very different (and yields a higher price on the black market) than credit cards.
Healthcare Records Are the New Credit Cards
Credit cards can be cancelled and re-issued. Once medical information becomes public (or at least exposed to malicious actors), there’s no cancelling that. Employers, insurers, family members, etc., could all be influenced if sensitive, personal information about an individual is exposed. Malicious attacks can use stolen medical records to do things like submit false claims and buy (and then resell) prescription drugs. With medical information, the risk is often lower for the attacker and the yield on the data is high. Additionally, medical information could be exploited for espionage and state-against-state operations.
While reports of this breach claim that no medical information has been lost, I wouldn’t be surprised if it is revised later to say that such information had been compromised. There’s a reason hackers are going after medical information. Stolen health records will sell for $10 to $50 per record on the black market, about 10 times what a credit card number goes for.
Early reports about this breach note that it was a “very sophisticated” attack. “Sophisticated” is a common label given to such breaches, but the reality is that hospitals and healthcare organizations (heck, many organizations) are breached because an attacker did something like guess a weak password. That’s far from sophisticated and reveals the nonexistent security posture that many organizations have.
Granted, this particular attack may have actually been “sophisticated” as has been reported, but more and more, we are seeing that healthcare organizations have been playing catchup in the security game and attackers are taking advantage of that gap.
Now, more than ever, I hope every single company is actively hunting its environment for activity that should not be occurring. If we continuously hunt risks in our own environments, it’s less likely we’ll be blindsided by one of these major breaches.