Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Anthem Breach Tally: 78.8 Million AffectedInvestigation of How Much Data Was Actually Stolen Continues
(This story has been updated.)
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Anthem Inc. now confirms that the health insurer's recent data breach compromised a corporate database containing personal information on 78.8 million individuals. Earlier reports about the breach, which was revealed Feb. 4, estimated the total at 80 million.
Those affected include 60 million to 70 million of Anthem's current and former members, a spokesperson for Anthem confirmed in a statement provided to Information Security Media Group. The remainder include members of other Blue Cross and Blue Shield plans who used their insurance in a state where Anthem operates during the past 10 years, the insurer says.
Anthem, the nation's second largest health insurer, estimates tens of millions of individuals' records were actually stolen, and not just viewed, by the hackers, Reuters reports. In its statement provided to ISMG, Anthem notes that it's continuing to analyze how many members' information was stolen by the hackers. But the company says it anticipates the number affected by theft of data "to be less than the total number of consumers whose data could have been viewed."
The Hill reports that Robert Anderson, who leads the FBI's criminal, cyber, response and services branch, told reporters during a roundtable on Feb. 24 that the bureau is "close" to identifying the hackers responsible for the Anthem breach. But Anderson added that the FBI would not release the identity of the hackers until the bureau is "absolutely sure."
The records for approximately 14 million people in the database are incomplete, which has prevented the health insurer from identifying where the customers had enrolled, according to Anthem's statement. "It is important to note that there is a very low likelihood that these incomplete member records tie to current, active Anthem members," the company says.
The insurer says that information exposed in the breach did not include "credit card information, banking information or confidential health information." But the hack did expose names, dates of birth, Social Security numbers, member health ID numbers, home addresses, phone numbers, e-mail addresses and employment information, including income data, Anthem says.
On Feb. 24, attorneys general in several states issued statements confirming the number of impacted residents. For example, Connecticut Attorney General George Jepsen says the Anthem breach impacted more than 1.7 million residents. And the Minnesota Department of Commerce says the cyber-attack compromised data on more than 30,000 Minnesotans.
Anthem's Report to SEC
According to Anthem's 10-K document filed with the Securities and Exchange Commission on Feb. 24, the cyber-attack did not affect the company's financial performance for 2014, but it will result in significant expenses this year.
"We have incurred expenses subsequent to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the foreseeable future," the filing notes. The company adds that it's unable to quantify the ultimate magnitude of such expenses at this time, but "they may be significant. We will recognize these expenses in the periods in which they are incurred."
Anthem notes in the filing that it has "contingency plans and insurance coverage for potential liabilities" related to the breach, "however, the coverage may not be sufficient to cover all claims and liabilities."
Multiple class action suits related to the breach have been filed against Anthem in several states.
In addition to the lawsuits and data breach costs, Anthem acknowledges in its SEC filing that it also faces possible government fines related to the incident.
Services for Victims
Anthem on Feb. 13 began offering breach victims two years of free credit monitoring and identity theft insurance, plus "identity repair assistance" (see: Anthem Offers Services to Breach Victims).
The health insurer believes that the attack may have begun with phishing e-mails sent to a handful of its employees (see: Anthem Breach: Phishing Attack Cited). This is just one of several options being investigated as the cause of the breach. It also warned its members that the breach is being used as a lure by online and telephone scammers.
Anthem says that the data breach likely began as early as Dec. 10, and that related intrusions likely continued until Jan. 27, when suspicious database queries were first detected, Anthem spokeswoman Kristin Binns told the Associated Press. She added that investigators, who confirmed the breach on Jan. 29, have found unauthorized data queries that date from at least Dec. 10, although some of those queries were blocked by the company's automated defenses.
In addition to the FBI's ongoing investigation, Anthem hired digital forensic investigation and breach-response firm Mandiant, a FireEye company, to probe the cause of the breach. Meanwhile, state insurance commissioners and attorneys general have launched investigations into the cyber-attack, and a U.S. Senate committee is also examining the healthcare industry's preparedness for mitigating cyberthreats (see: State Authorities Probe Anthem Hack).
The Legal Impact
Stephen Treglia, a HIPAA compliance expert and legal counsel at Absolute Software, notes: "It's way too early to estimate the enormity of the legal reaction to this Anthem breach. At last look, I noticed the Target breach generated well over 100 lawsuits, but that was over a period of months."
Multiple factors likely contributed to the breach, Treglia says. "An acquisition of data this large should have registered on Anthem's detection system, even if it was done slowly over a period of seven weeks," he contends.
"The bottom line is that it's still too soon to know the real story behind this hack just yet," he adds. "It takes time to explore all possibilities. Anthem has employed the services of one of the well-known intrusion detection firms, which is currently assessing the situation. So the real answer of whether Anthem's systems were weakly defended or Anthem was the victim of a highly sophisticated cyber-attack to which many companies' systems would have fallen prey won't be coming for a while just yet."
(Executive Editor Marianne Kolbasuk McGee contributed to this story.)