Hacking leads to Data Breaches. Often, this translates to be a costly affair.
Let us take a close look at Anthem data breach. Anthem, is the second largest health insurer in the US. Before doing a deep dive analysis let’s set the context as to what aspects need attention. As to “why“, the aim and scope is obvious.
- What is the issue?
- What’s the impact of the data breach?
- When did the data breach occur?
- When was it noticed, detected?
- What immediate actions and steps were taken?
- When were the consumers notified of the compromise, data breach?
- What sequence of events lead to the data breach?
- What is the Forensic report?
- How was the incident reported to the authorities?
- What was the incident response plan?
- Who owned the response plan?
- How the team(s) swung into action?
- What actions were taken?
- How was it communicated?
- What PR measures were put in place?
- What are the conclusions from the forensic reporting?
- What actions were taken, after the conclusion of the report (report findings)?
- As lesson learned – what new systems & procedures are in place to mitigate recurrence?
There is no doubt that Anthem had bad press. Fingers can point to show that Anthem could have done a better PR job. But, this is analyzing – after the fact. So, little use. Given the scenario that personal information was compromised is a sensitive issue and with down stream repercussions as a fall out. And that too, when 80 million customer accounts are at stake.
Anthem, the health insurance company database was hacked and it allowed hackers to gain access to 80 million customer accounts and their personal information. Most of the victims are current and former members of Anthem health plans, and even some nonmembers, since Anthem manages paperwork for some independent insurance companies. Millions of US residents had no idea that Anthem held their personal details. Now they know – the hard way.
According to Anthem – On January 29, 2015, Anthem, Inc. discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information ….”. It went on to say that – “The information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data. We have no reason to believe credit card or banking information was compromised.”
The impacted (plan/brands) included: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. Simply put it, all the customers from these entities are at risk.
Forensic reporting points out that – on December 10, 2014, someone compromised a database owned by Anthem Inc., and the compromise went undetected until January 27, 2015, after a database administrator discovered his credentials being used to run a questionable query – a query he didn’t initiate. Subsequently, two days after the detection, on January 29, Anthem alerted federal authorities and HITRIUST C3 that their internal investigation determined the incident was in fact a data breach. On February 4, 2015, the company disclosed the breach to the public.
A deeper analysis of the past history points to the fact that hackers made several unsuccessful attempts in hacking the database. Eventually, the hackers were successful and data breach occurred. Based on Anthem’s defenses, it’s possible that they attacker(s) tried to compromise the database earlier in 2014, but were thwarted. However, they kept at it and eventually succeeded. Hackers continued to take the shots until they hit. Anthem should have swung into action to put more proactive defenses. We don’t know what action or inaction went on, since those early incidents from 2010.
What is an irony is that in 2010, a data breach incident occurred wherein 612,000 customer accounts were compromised. That breach led to a $1.7 million settlement between Anthem and the U.S. Department of Health and Human Services, as the disclosure of health information was a possible violation of the federal HIPAA privacy statute.
Now, post data breach, Anthem, engaged Mandiant, world’s leading Cybersecurity firm – to assist not only in its investigation but also to strengthen the security of the systems. Too little help, to late!.
As part of the consumer redressal, Anthem is working with AllClear ID, a leading and trusted identity protection provider, to offer 24 months of identity theft repair and credit monitoring services to current or former members of an affected Anthem plan dating back to 2004.
Anthem Data Breach and Class Action Lawsuit:
Immediate to the fall out of the data breach incident was that a class action lawsuit was filed. And, within days additional lawsuits were filed in California and Alabama.
Lessons learned of Anthem Data breach:
A lesson to be learnt is that – despite the earlier hacking incident, Anthem failed to encrypt sensitive data; Had they put this in place, data would not have been totally comprised. At least, that’s one perspective.
There are some lessons to be learnt from the recent data breach incident. Remember, there is no one size fits all. That said, there can be a myriad of things that can be done to avoid potential data breaches. So, adopt a comprehensive strategy.
Here are some key takeaways – to mitigate and minimize risks.
- Be responsive and transparent
- Notify regulatory authorities, public as quickly as possible.
- Conduct a Forensic report to assess what went wrong.
- Another critical aspect that one need to be watchful is that – Attorney Generals in 47 states can ask for the data around the breach incident. So, keep relevant information handy, and provide consistent information, to avoid any potential legal fallouts.
- Have a Incident Response Plan in place.
- Test the incident response plan. Identify and plugin the gaps. This pro-active approach is less costly than reactive, which is very expensive.
- Bring Legal, Public Relation on board along with IT
- Monitor System Anomalies
- Watch Network Admin Activity – use “identity-based threat detection models”
- Use Encryption, Data Masking – otherwise, most of the personal information is easily readable
- Give Customers Advice they can use