Anthem, formerly known as WellPoint, announced on Wednesday that its database had been hacked, exposing the personal information of as many as 80 million individuals. According to Anthem, the information accessed included names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, but did not appear to have included financial or health information. The breach, which began in December, was discovered by Anthem on January 29, prompting Anthem to notify federal law enforcement officials and retain Mandiant, a global company specializing in the investigation and resolution of cyber-attacks. Although the source of the Anthem attack has not been confirmed, the latest reports are casting suspicion on Chinese hackers.
The fallout is mounting on numerous fronts. Class action lawsuits already have been filed in several states, including Alabama, California, Georgia and Indiana. On Friday, the National Association of Insurance Commissioners called for a multi-state investigation of the breach and stated its expectation that all 56 states and territories would sign on for the joint investigation. The Anthem breach likely will spur action on a national cybersecurity bill. According to Rep. Devin Nunes (R-CA), Chairman of the House Permanent Select Committee on Intelligence: “[T]he hacking of Anthem shows the urgent need to improve our nation’s cybersecurity infrastructure. This situation is untenable – that’s why a top priority of the House Intelligence Committee is to develop a strong cyber bill that encourages private companies to share information about attacks on their systems.” Michael Daniel, President Obama’s top cybersecurity adviser, commented that “It’s quite concerning that we would have another intrusion of this size.”
Health industry companies are squarely in the sights of hackers, both because of the relative value of healthcare information and the perception that healthcare companies are less prepared to defend against cyber-attacks than large financial or retail companies. Healthcare information is lucrative, often selling in underground markets at significant multiples of amounts paid for credit card numbers. The Anthem cyber-attack reinforces the imperative for health industry companies both to reinforce their security infrastructure and to ensure that policies and procedures and detailed workflows are in place in advance to permit rapid response in the event of a breach or suspected breach.