The Anthem medical data breach was a medical data breach of information held by Anthem Inc.
Contents
On February 4, 2015, Anthem, Inc. disclosed that criminal hackers had broken into its servers and potentially stolen over 37.5 million records that contain personally identifiable information from its servers. On February 24, 2015 Anthem raised the number to 78.8 million people whose personal information was affected. According to Anthem, Inc., the data breach extended into multiple brands Anthem, Inc. uses to market its healthcare plans, including, Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare. Healthlink says it was also a victim. Anthem says the medical information and financial data was not compromised. Anthem has offered free credit monitoring in the wake of the breach. According to Bloomberg News China may be responsible for this data breach. Michael Daniel, chief adviser on cybersecurity for President Barack Obama, said he would be changing his own password. According to The New York Times about 80 million company records were hacked, and there is fear that the stolen data will be used for identity theft. The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Theft of the data
Anthem was not required by law to encrypt the data. Anthem could face civil lawsuits for not having this data encrypted.
The data was stolen over a period of weeks the month before the data breach was discovered.
Use of the data
Data from the attack is expected to be sold on the black market.
Impact
Persons whose data was stolen could have resulting problems about identity theft for the rest of their lives. Anthem had a US$100 million insurance policy for cyber problems from American International Group. One report suggested that all of this money could be consumed by the process of notifying customers of the breach.
Responses
Anthem advised people whose data was stolen to monitor their accounts and remain vigilant.
Anthem retained Mandiant to review their security systems.
The theft of the data raised fears generally about the theft of medical information. A writer from Harvard Law School suggested that this data breach might spark reform of security practices and government data safety regulation.
An investigation conducted by several state insurance commissioners blames the breach on an attacker whose identity was withheld, and claims that the breach was likely ordered by a foreign government whose name was withheld. It also concluded that Anthem had taken reasonable measures to protect its data before the breach and that its remediation plan was effective at shutting down the breach once it was discovered. It also marks the starting date of the breach as February 18, 2014.