Anthem, the nation’s second largest health insurance company, announced late Wednesday that the company had fallen victim to a massive data breach.
“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” President and CEO, Joseph R. Swedish said in a statement, “Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Swedish added that not only had members’ information been accessed, but also current employees, including his own.
According to the Anthem FAQ site, all of Anthem’s product lines have been affected: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, HealthLink, and DeCare.
Anthem has employed Mandiant, a well-known cybersecurity firm, and is also cooperating with the FBI in order to investigate how the breach occurred. While the investigation is ongoing, we do know that the database that was accessed contained information for around 80 million customers. Anthem spokeswoman, Cindy Wakefield, has said that Anthem believes that the affected will be in the “tens of millions”.
“It’s not known yet where the attack came from or how the hackers got inside Anthem’s computer systems,” said Vitor De Souza, spokesman for Mandiant’s FireEye Inc., “What is known is that the malicious software used to infiltrate the network and steal data was customized, which can be a sign of an advanced attacker, and is a variant of a known family of hacking tools. Investigators were able to track the stolen data to an Internet storage service that the attackers were using to warehouse their pilfered information.”
Of course there is also a lot of speculation about whether or not Anthem has actually violated HIPAA rules and regulations since the announcement. Our belief is that the data believed to have been stolen does in fact contain PHI as defined by section 1171 of the HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA):
“(6) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.–The term ‘individually identifiable health information’ means any information, including demographic information collected from an individual, that–“
“(A) is created or received by a healthcare provider, health plan, employer, or health care clearinghouse; and”
“(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–“
“(i) identifies the individual; or”
“(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”
Eric W. Cowperthwaite, currently Vice President of Advanced Security & Strategy at Core Security, also strongly believes that this breach does in fact fall under a HIPAA security breach. “Some articles I’ve seen this morning are saying that HIPAA won’t apply because there was no medical information contained within the data that was breached. That is incorrect,” said Cowperthwaite, “ Name, SSN and medical ID are elements of Protected Health Information (PHI) as defined by the HIPAA Privacy and Security Rules. This is absolutely a breach of PHI and the requirements of the HIPAA Security Rule.” Mr Cowperthwaite previously was the CISO for Providence Health & Services for 7 years.
This would not be the first time a HIPAA violation has been pursued with no direct medical information released. One precedent was set in 2009, when an employee of Tenet Healthcare, and an accomplice, were charged with felony HIPAA violations. According to the indictment, Jacquetta L. Brown took records containing personal information of PGH patients, and she and Renee Barbary used the stolen personal information in a credit card fraud scheme. The stolen patient profile records included patients’ names, birthdates, Social Security numbers, addresses, drivers’ license numbers, and next of kin contacts.
For the last three years, the Healthcare industry has been topping the data breach charts. The Identity Theft Resource Center Breach Report for 2014 indicated that 42.5% of breaches last year were in the Medical/Health Care industry. This percentage was well above the 33% that was seen in the second place sector, Business.
Anthem members can access information about the breach at www.anthemfacts.com, or by calling 877-263-7995.