Having no need to brandish bandanas to obscure identity or firearms to force entry, it was reported Wednesday that cyber bandits, in a sophisticated and well-orchestrated robbery, recently waltzed into the IT vaults of Anthem, the second-largest U.S. health insurer, and walked off with personally identifiable information on about 80 million current and former members, a population that comprises Anthem customers, employees and its CEO, Joseph R. Swedish. The haul is reported to have included names, birthdates, social security numbers, medical identification numbers, street and email addresses and employee income data. Fortunately, there’s no indication at this point that credit-card numbers, claims information, test results or diagnostic codes were compromised as part of the crime. That said, to minimize the potential harm, Anthem has called in the FBI and is notifying affected individuals and offering free credit and identity-theft monitoring.
While there are currently few facts on precisely how or when Anthem’s system was breached, this hack is just another in a series of increasingly brazen and large attacks on the U.S. healthcare industry and the cache of exceedingly valuable personally identifiable information it maintains (think billing fraud). What is known is that customized malicious software was used to penetrate the network to pilfer the data – a near certain sign that an advanced cyber villain mind was behind the heist. Interestingly, however, that thief appears to have let her or his guard down as trackers here were able to follow the trail of stolen information back to the gang’s proverbial hideout – a web-based storage service.
Although there doesn’t seem to be a sheriff or posse capable of running these cyber outlaws out of town and many feel powerless to prevent such assaults, the majority of data breaches of this sort can be traced to a failure on the part of a business to implement simple security practices. Moreover, while no system is perfect and none perfectly safe, there are steps that can be taken to better lock the doors and shutter the windows against information thefts that potentially can break an organization’s bank.