The attack on Anthem’s networks that exposed the Personally Identifiable Information (PII) of as many as 80 million Anthem health insurance customers brings home the importance of cyber hygiene at the individual as well as the corporate level.
On February 5, 2015, Anthem reported that cyber criminals gained access to its customer databases through sophisticated hacking techniques that involved impersonating administrator logons to run database queries and extract troves of PII. Recent news reports indicate the US government believes the attack may be the work of hackers sponsored by the Chinese government. Anthem has notified some of its customers that the attack may have begun as early as December 10, 2014, and was not detected until January 29, 2015.
The health care industry has experienced a sharp rise in cyber attacks – a 100 percent increase between 2009 and 2013, with 40 percent of health care institutions reporting an intrusion of some kind in 2013, according to Bloomberg News and a Ponemon Institute report. One reason is that health insurance credentials are worth a great deal more on the underground market than credit card data, as they can be used to fraudulently procure medical services and devices.
At this time, Anthem reports, no medical information was compromised. Personal information including names, addresses, Social Security Information, and passwords was disclosed, however, putting at risk millions of current and former Anthem insurance customers for identity theft and additional corporate espionage. Attack patterns from state-sponsored hacks appear to be more frequently targeting executives and other officials with access to national security, intellectual property (IP) and trade secret information.
In other words, the information acquired through the Anthem hack can now potentially be used to gain access to additional information as hackers use the stolen identities and credentials of Anthem customers to search for sensitive and valuable information, including medical information, financial information and IP.
Employers who have Anthem plans should review their plans to understand what rights and obligations the parties have in the event of a data security breach. They should also urge employees using Anthem to be extra vigilant for “phishing” schemes – targeted emails with embedded links that might seek to gain access to additional information – and any other suspicious written or verbal communications. Employees should immediately change their passwords to all sensitive accounts and should monitor credit card and other financial accounts to guard against unusual activity.
Anthem promises to notify affected individuals personally. Because the breach took place on Anthem’s networks, it is Anthem’s duty and responsibility to follow state data breach notification laws, as well as any federal laws that may apply if indeed financial or health information was compromised. Thus, it is Anthem’s legal duty to notify affected individuals and provide a remedy for their harm, such as credit monitoring and identity theft protection. Nonetheless, it behooves employers with Anthem plans to communicate routinely with employees who may be (understandably) concerned about the breach.