Wednesday evening, millions of individuals received notification from Anthem that it was the latest cyber attack victim. This attack may turn out to be the largest ever in the health care industry and demonstrates the increasing cybersecurity threats facing health care entities. Anthem is one of the nation’s largest health insurance companies, serving customers in 14 states.
In a letter explaining the attack, President and CEO of Anthem, Joseph Swedish, stated that attackers gained unauthorized access to Anthem’s IT system and may have obtained personal information from millions of current and former members and Anthem employees, including himself. The letter reported that names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, and employment data, including income, were accessed. There was no evidence that credit card information or health care claims, test results, or diagnostic codes were compromised.
Anthem is still investigating how the attack occurred and exactly how many individuals were impacted, but an Anthem spokesperson estimated it could be “tens of millions.” The hacked database reportedly contained 80 million member records. Anthem immediately reported the cyber attack to the FBI and will individually notify current and former members whose information is confirmed as having been compromised.
This cyber attack is yet another example of the persistent cyber security threats to the health care industry. In August 2014, Community Health Systems (CHS) reported a cyber attack that affected 4.5 million patients’ data. In April 2014, the FBI issued a private industry notification to the health care sector that its cybersecurity systems were lax compared to other sectors, making health care entities more vulnerable to cyber intrusions. The FBI repeated this warning in a flash alert after the CHS attack, warning more strongly that it had observed malicious actors targeting health care related systems.
According to a survey by the Identity Theft Resource Center, attacks against the health care industry topped the 2014 breach list with 42.5 percent of all data breaches. According to the FBI, a cyber criminal can sell a partial electronic health record for $50, compared to $1 for a stolen social security number or credit card number. In its fiscal year 2016 budget released February 2, 2015, the Obama Administration proposed $73 million in funding to the Department of Health and Human Services to manage and provide oversight to its cybersecurity program.