Anthem health insurance customers across the nation reeled in outrage Thursday upon learning that up to 80 million of their names, Social Security numbers, birthdates, addresses and other data had been stolen, leaving them at high risk of identity theft.
Credit card and medical information apparently wasn’t taken, but that was cold comfort. Security and privacy experts called it the largest data breach in the health care industry, affecting one out of four Americans.
“What makes a health care breach so serious is that medical institutions collect all the information that data thieves and other fraudsters need to commit fraud,” said Beth Givens, founder and director of the San Diego-based Privacy Rights Clearinghouse. What’s worse, while a credit card number can easily be changed, much of the identifying data taken in the Anthem hack remains with a person for life.
Sources told this newspaper that federal investigators are probing whether hackers supported by China’s government are behind the breach. That leaves current and former Anthem customers in the unenviable position of wondering whether they’re caught up in international intelligence intrigue — or if some fraudster soon will use their data to commit credit fraud, get jobs or Social Security benefits, or in some other bogus scheme.
“I’m shocked, but not surprised,” said Jeff Orum of Sunnyvale, a retired high-tech worker and Anthem customer who got an email Wednesday night from the insurer informing him of the fiasco. “These companies that have had data breaches give a lot of lip service to security, but their systems aren’t that secure, obviously.”
Orum, 56, disgustedly cited the note that Anthem President and CEO Joseph Swedish wrote to customers, saying the company hopes “that we can earn back your trust and confidence” by retaining more security experts.
“That’s just a load of hooey,” Orum said. “It would have been nice if that was in place before this happened.”
San Jose resident Nancy Hartsoch, 59, who just recently switched from Anthem, said she’s more worried about the thieves getting hold of her Social Security number, birthdate and address than if they had taken medical record information.
“If they have access to my health data, they’ll know I had a cortisone shot in my knee,” she said. “That’s less damaging than being able to replicate and become me” through identity theft, she said.
Anthem, based in Indianapolis and formerly called WellPoint, is the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, serving customers in California and 13 other states.
California Anthem Blue Cross spokesman Darrel Ng said the insurer detects and prevents about 200 serious cyber attacks per month.
“Anthem has a robust internal security team that works with our industry partners to share information on both threats and tactics,” he said, adding that Anthem has now hired the cybersecurity firm Mandiant to evaluate its systems.
Mandiant made a splash with its 2013 report that China’s People’s Liberation Army was probably behind a series of 141 cyberattacks on entities in the United States and other English-speaking nations dating back to 2006. Mandiant was bought by Milpitas-based FireEye Inc. later in 2013.
“We’re continuing the investigation, working with Mandiant and the FBI, and when we determine the numbers who were affected we will send them notices to make sure they’re notified so they can enroll in identity theft preventing systems and credit monitoring systems for one year,” Ng said.
Rep. Jackie Speier, recently appointed to the House Intelligence Subcommittee on the NSA and Cybersecurity, said in a statement that the breach “could become a privacy nightmare for millions of consumers” and underscores the need for congressional action.
“How many more breaches will we endure before we admit that the private sector cannot solve this problem itself?” said Speier, D-San Mateo. “Our existing protections for all sensitive data — personal, commercial and governmental — are clearly insufficient.”
Intelligence Committee Chairman Devin Nunes, R-Clovis, agreed: “This situation is untenable — that’s why a top priority of the House Intelligence Committee is to develop a strong cyber bill that encourages private companies to share information about attacks on their systems.”
Lee Tien, senior staff attorney at the Electronic Frontier Foundation in San Francisco, said Anthem seems to be locking the barn door after the cows got out. He said the question should be: Why didn’t (Anthem) “hire the same level of so-called state of the art security assistance in the first place?”
Julie Fergerson, chairwoman of the Identity Theft Resource Center, said that all the personal data could be used on its own or can become prime fodder for “spear phishing.”
“Phishing” means tricking you into giving up usernames, passwords or credit card details. “Spear phishing” puts a more personal spin on that — with so much personal information about you already exposed, a fraudster can more carefully tailor a bogus mail, email, text or phone pitch specifically to you, perhaps even to get you to send money directly. Some such efforts can look like valid invoices from businesses or entities you use.
By any standard, 80 million records is a huge breach. Of the 783 data breaches recorded last year by the Identity Theft Resource Center, 782 of them added up to a total of 85.6 million records — though that other one, a breach reported by San Jose-based eBay last May, affected 145 million.
Fergerson said the breach wasn’t necessarily Anthem’s fault. Cybersecurity experts and hackers are in “a constant arms race” to outdo each other, she said, so it may be time to rethink what data the U.S. economy relies upon anyway.
“Anybody you give your Social Security number to, you need to think twice about how they store it — but frankly our entire society is based on using the Social Security number as a key,” Fergerson said. “Really, businesses need to change and make Social Security numbers not the primary authentication method and primary key for consumers.”
Staff writer Matt O’Brien contributed to this report.
