Anthem Blue Cross Hacked

I thought it had been quiet recently – apparently too quiet.

Anthem, the healthcare insurance company that operates in 14 states and is the second largest insurance company in the country, reported that it had been hacked.  Anthem operates under a lot of names including Anthem Blue Cross, a name well known in the Northeast.

According to a statement signed by Anthem CEO Joe Swedish,  the attackers did not take credit card information or healthcare information. Anthem said that possibly as many as 80 million customers, current and former, are affected.

The fact that no healthcare information was taken has to be a huge relief to Anthem’s board.  With the new HIPAA rules, the fine could possibly have been as much as 80 million records times $1.5 million fine per record.  That is $120 trillion.  Of course, they would never be assessed such a large fine or even a small percentage of that number, but that is the potential max.  Even 1/1000th of 1 percent of that number is a big number.

Another relief is the hackers did not use the Sony attack technique of thermonuclear information destruction and wipe all of Anthem’s systems.  That could have been a bit of a mess for them.  Think about an insurance company that could not pay claims for a couple of months.

What the hackers did take is names, addresses, social security numbers, email addresses, employer information and income and they did this for both current and former employees and customers.  Mr. Swedish said that it was in the tens of millions of people and maybe as many as 80 million.

They only discovered this last week, so there is probably more they don’t know than they do know, so the facts may change.  I give Anthem credit in announcing this so quickly.  For most companies, they would not even know what the hackers got after a week, so it is possible that they have a good information risk management process in place – we don’t know yet.

One question that you might ask is why the hackers stole what they did steal.  I don’t have any insider info and the FBI is investigating, along with the security firm Mandiant, but I have a thought.

When the hackers at Home Depot stole those tens of millions of credit cards – or one of the other thousands of attacks that did not make the news – some, but only some, credit card companies issued new cards.  Some of those cards are still live.  More importantly, credit card numbers by themselves don’t sell for a lot of money any more because they get turned off pretty quickly.

BUT, if besides the credit card info, you have name, address, employer, social, date of birth, etc. – what hackers call “fullz”, meaning the full credit info, it sells for a lot more.

While that won’t help the hackers much right now regarding last year’s hack of Home Depot, when the next attack comes, having a database of information on 20 percent or more of the U.S. population is a hugely financially valuable tool.  Merge this with the 75 million records stolen from Chase last year and you have a pretty nifty database.

Like healthcare information, fullz information doesn’t change anywhere as quickly as credit card information.  Are you going to change your blood type or sell your house and move because of the hack?  It is really hard to change your blood type and unlikely that you are going to move because of one.

What this means is that hackers, who are becoming good at using big data, have a great repository of information to merge with the next credit card or healthcare hack to make a whole lot more money.  And yes, hackers do work together – not so much for fun as for the collective profit, so my scenario is very realistic. That combined information makes it a lot easier for the hackers to create new credit in your name then just having a credit card number and even the PIN.

Only time will tell, but check back for updates over the next few weeks.