Naked Security Naked Security

Anthem healthcare breach is smaller – and bigger – than first thought

There's good and bad news about Anthem's recent data breach. The bad news includes the risk to between 8.8M and 18M non-customers who were in Anthem's database anyway...

At the start of February 2015, we wrote about a large-scale data breach at US health insurance company Anthem.

Healthcare insurers are an obvious target for cybercrooks because they don’t just keep plain old PII (personally identifiable information) about you, like a bank or a mobile phone company.

They also collect, collate and retain some of the most visceral sorts of personal data about you, literally and figuratively, in order to assess how much you’re likely to cost them as a customer.

If you’ve ever applied for private health insurance, in the USA or anywhere else, you’ve probably drawn breath at some of the questions, which may well cover your lifestyle, your leisure activities, and extensive lists of treatments and operations you’ve already had.

Social engineering

As you know, that sort of information is deeply personal (and very little of anyone else’s business), and, ipso facto, an astonishing insight into your life.

Combined with your employment history, which you might have decided to give away openly on sites like Facebook and LinkedIn, you can imagine how useful your medical story might be to crooks who are into social engineering.

Social engineering is the practice – the devious, tricky, dishonest and fraudulent practice – of simulating a trusted relationship with a person or a company in order to get at products, services, funds, passwords, and much more.

At the outset, Anthem offered two small solaces: the PII that was found and stolen from its databases didn’t include payment card or medical data:

We have no reason to believe credit card or banking information was compromised, nor is there evidence at this time that medical information such as claims, test results, or diagnostic codes, was targeted or obtained.

The company is sticking to that story as its investigation unfolds, and although Anthem may never be certain that the crooks didn’t get further or deeper than it now seems, we suggest you accept it as if it were a fact.

Identity theft

The breach was nevertheless an identity thief’s dream:

Initial investigation indicates that the member data accessed included names, dates of birth, member ID/social security numbers, addresses, phone numbers, email addresses and employment information.

If you’ve ever filled in something like a credit card application, you can probably imagine how far into the form that PII alone would get you.

In other words, for all that the crooks didn’t get hold of your current credit card information, they might very well end up with one of your future credit cards – one that you aren’t even aware of yourself because the crooks applied for it.

Breach update

Anyway, according to Reuters, Anthem now has slightly more detail about the scale of the breach so far.

The good news is that the original estimate of “about 80,000,000 records” has now been specified as a rather more precise 78,800,000.

That’s only about 2% better than the first guess, but is nevertheless great news for the 1,200,000 people who are now off the hook.

The bad news is something that may seem obvious to our US readers, but came as a bit of a surprise to us.

The Blue Cross Blue Shield (BCBS) medical coverage plans that were affected in this breach aren’t owned and operated only by Anthem, but by a range of different providers around the USA.

But reciprocal agreements with other providers – there are apparently 37 independently operated BCBS member companies – mean that Anthem keeps records on other companies’ customers, too, for example so it can pay out benefits if you are interstate.

And according to Reuters, that means that between 8,800,000 and 18,000,000 people who aren’t Anthem customers, and who might therefore have treated Anthem’s breach as something of a “news sideshow” in their lives, may also be affected.

The “one hundred million” club

It’s not clear whether those 8.8M-18M non-customers are included in the 78.8M records mentioned above.

Our assumption is that the precision of 78.8M against a range of 8.8M to 18M suggests that the non-customer records will need to be added to the existing total once the number of non-customers affected has been firmed up.

Assuming the worst therefore gives us a breach count of 78.8M + 18M, or 96.8M compromised records.

That’s not quite enough to project Anthem into what we have rather cheekily dubbed the “one hundred million” club.

But it’s still a staggeringly-sized breach, affecting close to one third of all Americans.

Anthem has published some good advice about how to deal with the risk of identity theft. It’s worth reading even if you weren’t affected by this breach. Notably, Anthem has committed to telling potential victims by old-fashioned snail mail only, sent through the US Postal Service. That means you are safe to assume that anyone who emails you or calls you about the breach is a scammer. Delete the email or hang up the phone: don’t buy, don’t try, don’t reply.