At the start of February 2015, we wrote about a large-scale data breach at US health insurance company Anthem.
Healthcare insurers are an obvious target for cybercrooks because they don’t just keep plain old PII (personally identifiable information) about you, like a bank or a mobile phone company.
They also collect, collate and retain some of the most visceral sorts of personal data about you, literally and figuratively, in order to assess how much you’re likely to cost them as a customer.
If you’ve ever applied for private health insurance, in the USA or anywhere else, you’ve probably drawn breath at some of the questions, which may well cover your lifestyle, your leisure activities, and extensive lists of treatments and operations you’ve already had.
Social engineering
As you know, that sort of information is deeply personal (and very little of anyone else’s business), and, ipso facto, an astonishing insight into your life.
Combined with your employment history, which you might have decided to give away openly on sites like Facebook and LinkedIn, you can imagine how useful your medical story might be to crooks who are into social engineering.
Social engineering is the practice – the devious, tricky, dishonest and fraudulent practice – of simulating a trusted relationship with a person or a company in order to get at products, services, funds, passwords, and much more.
At the outset, Anthem offered two small solaces: the PII that was found and stolen from its databases didn’t include payment card or medical data:
We have no reason to believe credit card or banking information was compromised, nor is there evidence at this time that medical information such as claims, test results, or diagnostic codes, was targeted or obtained.
The company is sticking to that story as its investigation unfolds, and although Anthem may never be certain that the crooks didn’t get further or deeper than it now seems, we suggest you accept it as if it were a fact.
Identity theft
The breach was nevertheless an identity thief’s dream:
Initial investigation indicates that the member data accessed included names, dates of birth, member ID/social security numbers, addresses, phone numbers, email addresses and employment information.
If you’ve ever filled in something like a credit card application, you can probably imagine how far into the form that PII alone would get you.
In other words, for all that the crooks didn’t get hold of your current credit card information, they might very well end up with one of your future credit cards – one that you aren’t even aware of yourself because the crooks applied for it.
Breach update
Anyway, according to Reuters, Anthem now has slightly more detail about the scale of the breach so far.
The good news is that the original estimate of “about 80,000,000 records” has now been specified as a rather more precise 78,800,000.
That’s only about 2% better than the first guess, but is nevertheless great news for the 1,200,000 people who are now off the hook.
The bad news is something that may seem obvious to our US readers, but came as a bit of a surprise to us.
The Blue Cross Blue Shield (BCBS) medical coverage plans that were affected in this breach aren’t owned and operated only by Anthem, but by a range of different providers around the USA.
But reciprocal agreements with other providers – there are apparently 37 independently operated BCBS member companies – mean that Anthem keeps records on other companies’ customers, too, for example so it can pay out benefits if you are interstate.
And according to Reuters, that means that between 8,800,000 and 18,000,000 people who aren’t Anthem customers, and who might therefore have treated Anthem’s breach as something of a “news sideshow” in their lives, may also be affected.
The “one hundred million” club
It’s not clear whether those 8.8M-18M non-customers are included in the 78.8M records mentioned above.
Our assumption is that the precision of 78.8M against a range of 8.8M to 18M suggests that the non-customer records will need to be added to the existing total once the number of non-customers affected has been firmed up.
Assuming the worst therefore gives us a breach count of 78.8M + 18M, or 96.8M compromised records.
That’s not quite enough to project Anthem into what we have rather cheekily dubbed the “one hundred million” club.
But it’s still a staggeringly-sized breach, affecting close to one third of all Americans.
Anthem has published some good advice about how to deal with the risk of identity theft. It’s worth reading even if you weren’t affected by this breach. Notably, Anthem has committed to telling potential victims by old-fashioned snail mail only, sent through the US Postal Service. That means you are safe to assume that anyone who emails you or calls you about the breach is a scammer. Delete the email or hang up the phone: don’t buy, don’t try, don’t reply.
Jeff
First, without spelling it out, they have confirmed PHI was stolen. The medical record identifier is listed as one of the pieces of data stolen. When you could that with PII, it is now PHI. Secondly, I believe, although I could be wrong, those external customers were included. The reason is that most of the articles I’ve read indicate Anthem only had about 10 million customers.
Paul Ducklin
If Anthem had (I noticed you used the past tense :-) 10M customers and up to 18M non-customers on record…
…how do you get to 78.8M, with or without the 18M?
Anonymous
Just guessing, but it might depend on what a “record” is. (Does a customer have more than one record? For example, is a record a single doctor visit?)
Eric
I believe your information about customers not receiving emails is incorrect. I received an informational email from them on 2/25/2015.
Kent
What the hackers are doing with the information is using it to file fraudulent income tax returns and then taking the refunds. I know of at least a dozen people who have attempted to file their tax returns and have discovered that have already been filed, their refund is no longer there. Therefore they are having to prove their identity, file a corrected return and then hope to get their refund.
Laurence Marks
Duck wrote:
“The bad news is something that may seem obvious to our US readers, but came as a bit of a surprise to us.
…
“But reciprocal agreements with other providers – there are apparently 37 independently operated BCBS member companies – mean that Anthem keeps records on other companies’ customers, too, for example so it can pay out benefits if you are interstate.”
Here’s an example. IBM contracted for medical insurance in 2004 for all (50,000-100,000) of its US employees from Empire BCBS (New York). For those employees in the other 49 states, claims were processed by Anthem.
(I’m probably in the affected group which means I’ve been exposed in two breaches in two days–a new record for me. The other one was the Form 990N e-Postcard breach which you haven’t reported yet. Top that off with what might be a phishing email from Target which arrived last night–yes, I was in that one too.)
Kurt S.
Would you be interested in a copy of the email that Anthem sent out to it’s members on 02/25/15? If yes, I’ll be happy to forward a copy.
Somewhat off topic, yesterday I spent several hours trying to use some of the links that are available to redirect an Anthem member to their Pharmacy provider. Of the five links only two actually worked. I tested the links using four different browsers. The Anthem website tech support was not particularly interested or helpful when I called in to report bad links on their website. Oh, BTW, they said that they only support Firefox up to version 27. They did not even know that Mozilla had just released version 36. The Express Scripts website tech support, on the other hand, was interested in figuring out what the problem was. I surmise that since Anthem as have many providers in the US have outsourced their tech support that the outsourcing may have played a role in the data breach.
Paul Ducklin
By all means, send that email: tips@sophos.com is the place.
Deramin
Oh goody. Just when I thought I was safe. Not properly encrypting this stuff should be considered criminal negligence.
LC
Many are finding that the breech cancelled their policies. This isn’t being found out until a provider calls to verify their benefits. Provider is told the policy was opened and terminated on the same day.