On Thursday, millions of Anthem Inc. health insurance customers woke up to a company e-mail notifying them that hackers may have gained access to their names, birth dates, Social Security numbers, addresses and employment data—including income figures—during a data breach.
The breach was first announced late Wednesday in a company statement, and could affect as many as 80 million current and former Anthem customers.
Local cybersecurity veterans tell DC Inno that the attack has most likely been part of a plan to sell stolen Social Security numbers.
“Social Security numbers typically sell on black market sites for $3-$5.”
“We [SurfWatch Labs] don’t know the origin or identities of the attackers but an attack this size is likely financially motivated,” Adam Meyer, chief security strategist at Sterling, Va.-based cybersecurity startup SurfWatch Labs, told DC Inno. “Social Security numbers typically sell on black market sites for $3-$5. Investigators have not yet found Anthem data for sale online.”
This sort of direct cyber attack to consumers may be historically unprecedented. As a company that greatly relies on public perception and relations, the hack could hurt Anthem’s reputation with customers throughout the public sphere. As it stands, Anthem is the nation’s second-largest health insurance company.
“With a healthcare breach of this size, you get fraud, identity theft, financial loss, damaged reputations and more that’s the equivalent of the Exxon Valdez oil slick; it’s dirty, it sticks, it gets everywhere, and it takes a long time to clean up,” SurfWatch CEO Jason Polancich, formerly a 20-year NSA veteran, told DC Inno.
Early statements indicate that Protected Health Information (PHI) was not included in the stolen data, in which case HIPAA regulations would not apply to this incident. It seems like data exfiltration was performed through an external web service, such as Google Cloud, Microsoft One Drive or Dropbox, Meyer said.
“[Anthem] immediately made every effort to close the security vulnerability, which suggests that a known vulnerability was exploited in the corporate Web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry,” he said.
“If 2015 is the year of the consumer as a cyber target, we’re likely to see the next few years record hits against the consumer as a patient,” Polancich said. “The amount of valuable data available within healthcare and related organizations like insurance is even higher. As well, healthcare companies on the whole are a bit behind the curve as far as depth and breadth of cyber defense.”