On January 29, 2015, Anthem Inc, a Health Insurance provider in US (second largest in US) reported a discovery of a Cyber Attack in which it is estimated that about 78.80 million health records have been compromised. (Refer here). The incident has sparked many law suits and is expected to impact the information security practices in US and elsewhere. (See report in Fortune)
The data that were accessed by hackers was not encrypted and contained identity details such as the social security numbers. This is a violation of the security requirements under HIPAA-HITECH Act and attracts civil penalty from the department of Health and Human Services (HHS).
According to the company’s admission, hackers gained access to Anthem’s data by stealing the network credentials of at least five employees with high-level IT access. The data is believed to have been extracted over a period of 6 to 8 weeks during which the attack went undetected. The company claims that the attack was “Sophisticated” but only the investigations will reveal if it was really a sophisticated attack or a simple phishing attack.
This data breach may be the largest in terms of the financial implications on an organization. The company is said to have an insurance cover of US$ 100 million but the claims under this case may far exceed this limit. This could also be a big set back for the Cyber Insurance industry. The black market rate for health data in US is estimated to be around US 470 per record (See this article). The value of the data lost at Anthem in the black market is therefore around US$ 37.6 billion or Rs 2,33,000 crores. The value in the black market for a data is normally 5 to 10% of the potential benefit that can be derived from the data by a buyer. Hence the estimated gross value of the data lost in terms of the potential loss to consumers could be of the order of US$376 billion. (Also see here)
Now Anthem is focusing on its responsibilities under HIPAA-HITECH Act to assist the affected persons to protect themselves from the consequences of identity theft by providing a two year protection service from All Clear ID. (Refer here)Individually the cost of such service is around US$14.95 per month and for the 78.8 million IDs to be protected the total potential cost is Us $28 billion. Of course Anthem may get a much cheaper bulk rate. But the cost is still likely to be of the order of US $ 3 billion. This is besides the cost of sending data breach notices to 78.8 million people by US first class mail.
The net impact of this data breach on the Health Insurance industry, the Cyber Crime Insurance industry, as well as the status of HIPAA implementation across US (extended to Business Associates in India) are likely to be enormous. It will shake the whole industry and perhaps bring in several lasting changes in industry practices.
In the meantime, Anthem has also attracted another controversy by refusing to allow the US regulator the “Office of Inspector General” (OIG) to conduct a vulnerability scan of their systems citing their corporate policy that no external audit is permitted. (Refer here)
The Office of Personnel Management of OIG oversees the Federal Employee Health Benefits Program and in the course of such supervision performs a variety of audits on health insurers that provide health plans to federal employees. Though it is a regulator of sorts, it is not having the same powers available to the HHS which is the regulator under HIPAA which has the powers of audit and imposition of penalty. The powers of the OIG has to be derived from a contract which Anthem believes are non existent.
While at first glance this attitude of Anthem appears to be self defeating from a PR angle, it is likely to establish the primacy of HHS as the sole regulator of Health data breach and resist an attempt by multiple agencies to fish in troubled waters. (Also see here).
Anthem attack itself has resulted from Phishing and now the incident itself has become a source for many other scams involving phishing e-mails offering various services. The collateral damage of this fraud can therefore go beyond the Health Care data breach. Already suspicions are being aired about the hacking having emanated from China (See here). If these rumors are confirmed the breach may get a “Cyber War” tag similar to the recent attack on Sony attributed to North Korea.
The incident therefore has many dimensions and security professionals need to keep a watch on the developments.
End of the day one wonders…could a better “data encryption under storage” could have prevented this multi-billion dollar catastrophe?