The massive computer breach against Anthem, the nation’s second-largest health insurer, exposes a growing cyberthreat facing health-care companies that experts say are often unprepared for large attacks.
Hackers gained access to the private data of 80 million former and current members and employees of Anthem in one of the largest medical-related cyber-intrusions in history.
Authorities said the breach, which was discovered late last month and disclosed this week, did not involve private health records or credit card numbers but did expose Social Security numbers, income data, birthdays, and street and e-mail addresses.
Investigators suspect Chinese hackers may be responsible for the breach, according to a person briefed on some aspects of the probe. There are also some indications that other health-care companies may have been targeted, said the individual, who spoke on the condition of anonymity to discuss the ongoing investigation.
Security experts said health care has become one of the ripest targets for hackers because of its vast stores of lucrative financial and medical information. Health insurers and hospitals, they added, have often struggled to mount the kinds of defenses used by large financial or retail companies, leaving key medical information vulnerable.
While medical records, such as treatment details or test results, were not compromised in what Anthem called “a very sophisticated attack,” experts say the breach underlines the worrying potential for hackers to steal private health data that is valued on the black market as tools for extortion, fraud or identity theft. Medical information could be exploited, for example, to file false insurance claims and buy prescription drugs, and attackers could extort cash from policyholders desperate to keep their private medical data under wraps.
“Health-care records are the new credit cards,” said Ben Johnson, chief security strategist at cybersecurity firm Bit9 + Carbon Black. “If someone gets your credit card number, you cancel it. If you have HIV, and that gets out, there’s no getting that back.”
Anthem, formerly known as WellPoint, covers 1 in 9 Americans through its affiliate health plans, including under the Blue Cross Blue Shield brands. The breach has “definite potential to be the largest” hack of a health-care organization, although it is too early in the investigation to say definitively, said Vitor De Souza, a spokesman for FireEye, which owns the company now helping with Anthem’s security.
The data breach could affect individual policyholders as well as those enrolled in managed-care plans through Medicaid. Anthem’s chief executive, Joseph R. Swedish, was among those to have their personal data exposed. Anthem said it will notify current and former members whose information was breached, as well as provide free credit-monitoring and identity-protection services.
Once Anthem discovered the data breach Jan. 29, company officials contacted the FBI and retained Mandiant, a cybersecurity firm, to investigate the attack and review the insurer’s defenses. The intrusion occurred in early December, or possibly earlier, according to a second person briefed on aspects of the case, who also spoke on the condition of anonymity. The FBI said it is investigating the breach, which was reported Thursday by the Wall Street Journal.
Hackers were able to grab some of what experts called the most lucrative and damaging types of stolen personal data. Social Security numbers are an attractive target because they are tough to change and crucial to government, financial and medical use.
A set of complete health insurance credentials sold for $20 on underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell SecureWorks.
Medical information includes key identifying details that could be used to create a “fake patient” that could fraudulently bill programs such as Medicaid, experts said.
“What we’ve seen in the last few years is that attackers have realized the economics of health-care data are very, very attractive,” said Lee Weiner, senior vice president at cybersecurity firm Rapid7.
The link to Chinese hackers, which was first reported by Bloomberg News, means the attack could be part of a larger campaign, experts say.
Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, said he has seen Chinese government hackers target health-care providers and insurance companies in the past six months for Social Security numbers and personal identifying information as well as health-care information.
“China sucks up as much information as possible on a variety of people that could come in handy later,” he said, adding that CrowdStrike does not have information on the Anthem hack.
China has also been implicated in hacks on USIS, a major U.S. contractor that conducts background checks for the Department of Homeland Security. The Chinese have also targeted state motor vehicle departments and other agencies with large databases, Alperovitch said.
“The more information the Chinese have about large segments of the American population, the easier it is for them to penetrate our military and intelligence agencies,” said Joel Brenner, a former top U.S. counterintelligence official. “They then have the health-care information, the fingerprints and the real names of an enormous set of people, many of whom are prime recruits for our intelligence services or our military or who are already in our military. It’s an enormous advantage in penetrating cover.”
That employee data was stolen in the Anthem hack could indicate that hackers might be preparing for another attack, which would allow them to access internal systems that they were otherwise unable to reach, said Tom DeSot, an executive at the cybersecurity firm Digital Defense.
The health-care industry has struggled to fortify itself against cyberattacks. Hospital groups and health insurers have often grown through buying smaller, regional firms with different technology and no overarching security policy. Many also use older computer systems that have proved more susceptible to attack.
“Health care can be a big, leaky boat,” said Katherine Keefe, leader of breach response services for Beazley, a London-based speciality insurer that offers cyber-liability coverage. “There’s a lot of private information that flows in and out . . . and [among attackers] there’s an awareness now that health-care information on its own is quite valuable.”
Experts at the security-ratings firm BitSight said last year that the health-care industry’s cyberdefense showed “signs of serious illness,” posting a bigger increase in security incidents over the previous year than industries such as finance and retail, but with continued failures to respond quickly to threats.
Health-care providers, which must disclose breaches affecting more than 500 people, have reported about 1,200 breaches since 1997, a federal health database shows.
Anthem has come under fire in the past for its security. The insurer agreed in 2013 to pay $1.7 million to resolve federal claims that poor internal safeguards left personal information, including Social Security numbers and health data, from more than 600,000 people available online.
In August, Chinese hackers grabbed names, addresses and Social Security numbers from more than 4 million patients of Community Health Systems, one of the country’s largest for-profit hospital groups. The FBI warned after that attack that the health-care industry was being targeted by hackers.
Federal leaders said the Anthem breach appeared emblematic of a larger weakness in the country’s cyberdefense. Rep. Devin Nunes (R-Calif.), chairman of the House Intelligence Committee, said the Anthem hack “shows the urgent need to improve our nation’s cybersecurity infrastructure.” Michael Daniel, President Obama’s chief cybersecurity adviser, said, “It’s quite concerning that we would have yet another intrusion of this size.”
Hackers have routinely targeted retailers rich with consumer data, including attacks last year that breached data for 110 million Target customers and 53 million Home Depot customers. JPMorgan Chase, the nation’s largest bank, had records for 76 million households breached last summer. Federal officials called the damaging hack last year of Sony Pictures Entertainment a “serious national security issue.”
Andrea Peterson contributed to this report.