Tag Archives: Anthem

Anthem Refused Audit Required As Part Of Contract

The Register is reporting that Anthem refused to allow U.S. government auditors to audit their systems as required as part of a contract that Anthem has with the U.S. government.  This news is coming out after Anthem was hacked of some 88 million customer records.

The Office Of Personnel Management Inspector General audits insurers who provide insurance to government employees under the Federal Employees Health Benefits Program.

OPM has a particular audit protocol that is somewhat intrusive but not out of the ordinary and Anthem told them no, they could not do that.

I have been a vendor to several of the world’s largest banks and they used to audit my firms on a regular basis.  If we told them to go away, they would have told us to go away as well.

It is not at all clear why OPM allowed Anthem to continue to do business with the government under these circumstances.  It is the difference between private industry and government.

OPM wrote a report on Wellpoint (now Anthem) that said, in part:

Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Given this report, it is totally unimaginable that, in private industry,  they would have been allowed to continue as a supplier.

After the breach, OPM again tried to audit Anthem and they again said no.

And, they continue to collect checks from the government.

This should be interesting fodder for the lawsuit machine.



10 States Going After Anthem After Data Breach

Reuters is reporting that 10 states, led by Connecticut, have sent a letter to Anthem complaining that the company is moving too slowly in notifying consumers of the data breach that affected up to 80 million customers and employees (see article).  The states are assuming that Anthem know precisely who’s data was taken and they may not know that yet.

I hadn’t really thought about it, but this breach is really quite different than having your credit card stolen in the Target breach.

In the Target case, under federal law, your maximum liability for fraudulent charges is $50 and many credit cards waive even that.

It is a bit of a pain, you call the credit card company, maybe you sign a form, they close the card, issue you a new one, remove the charge and you are done.

One advantage of using credit cards over debit cards if you can is that in the case of a credit card, you are arguing over a bill.  In the case of a debit card, the money is no longer in your bank account.

However, in the case of Anthem, you may have a right to sue Anthem if that data is used to say open a fake account in your name, but you would have to prove that you were damaged and prove that it was Anthem’s fault.  Even if you are successful, it could take years to go through the courts.

The states are saying that Anthem must commit to reimbursing people for any losses associated with the breach between the time of the breach and the time that the company provides access to credit monitoring services.

Ignoring that those services are far from bullet proof and ignoring the fact that there is a delay between when they make that service available to you and when you actually sign up for it and it becomes active, the states are not saying that Anthem should assume responsibility for what happens to you after you sign up for credit monitoring services.

And, as I said before, since the effects of this kind of fraud can last for years, unlike credit card fraud which can be shut off by issuing a new card, people will be dealing with this for years.

And, apparently, legally, Anthem may have to pay a fine, but if you are damaged, you are going to have to sue them to try and be made whole.

That means, if you are a current or former Anthem customer or employee,  that you should be checking your credit report frequently for any bogus accounts that might be set up



Anthem Breach Blame Game Begins

UPDATE:  In a post on Dark Reading, they have added a few more details.  The breach, they say, started December 10th, about two months ago.  They detected the breach on January 27th and notified customers 8 days later.  Compared to other breaches, that  is very quick.

While they are calling this by that overused term, advanced persistent threat or APT, the term is probably appropriate in this case because the malware was customized for Anthem.  Mandiant, who is working with Anthem, said the bad guys could likely just change the IOCs (indicators of compromise) and sneak it in undetected somewhere else.  That is not a pleasant thought for other insurance companies.  All of them, no doubt, are looking in the corners and under the beds to see if they have been had as well.

They were able to detect this because of logging – a database administrator noticed unauthorized queries running with admin credentials.  Still it took them two months.

Anthem reset all admin passwords when they discovered this (more power to them.  In most organizations, if they did that the world would come crashing down upon them).  They also disabled all accounts without two factor authentication (at least they had two factor even if they were not using it everywhere).

The question about encryption has been danced around, although, it is fair to say that if the hackers had database admin credentials, encryption would not have protected them.


Insurance Networking News has a pretty detailed article on the Anthem breach.  Investigators believe at this point that the breach was state sponsored, likely by China.  If true, that means that two of the largest recent breaches (Anthem and Sony) were either conducted by or sponsored by state actors who are, to be kind, not very friendly to the United States.

James Mapes of security consultancy BestIT says that while credit card numbers go for between 10 cents and 25 cents each, stolen medical records go for between $100 and $300 per record.

Up until now, health care organizations did not spend much money on information security since most of their records were paper based.  Now, with the mandate for electronic health records, all of that has changed and unfortunately, Anthem got to be the poster child for information security.

Some people are suggesting that Anthem’s data was not encrypted.  That would not surprise me given the performance penalty organizations see when they do encrypt large amounts of data.  That means, if the bad guys got inside then the only thing that is between them and the data is likely a password.

When you have to do a large number of queries like Anthem has to do in the course of a day, that password is hardcoded into software (worst case) or in configuration data (best case).  In both of these cases, once the bad actor is inside, getting to that password is RELATIVELY easy.

Next comes logins.  Two factor authentication makes life harder on users, but also harder for hackers.  Some people are speculating that the system admins did not need to use two factor authentication.  Only time will tell if that was true at Anthem.

Finally, logging.  Extensive logging with really smart AUTOMATED analysis would detect if, for example, a credential is being used way more than it should have been or in a place that it was not expected to be used in.  It would also tell if data was being exfiltrated either in a volume that was unexpected or too a place that was unexpected.  Some people are speculating that the reason Anthem was able to detect the problem themselves was due to excellent analysis and alerting tools.

Sari Greene of Sage Data Security points out this is not an IT problem but a corporate governance problem.  Greene said that the Anthem board is likely discussing the breach today, but hopefully, this is not the first discussion with the board.

My guess is that ongoing, meaningful, board level discussion of information risk is still the exception, not the rule.  The cost to Anthem is unknown – depending on how much damage the attackers did, how much change is going to be required to reduce the chances of a future attack and the costs related to litigation and fines.

If you take the low end of the value equation, say $100 per record and cut the number of records in half to 40 million, that would make the value to the hackers of the data at around $4 billion.  Cut that in half again if you like – say $2 billion.

Like Willie Sutton said, he robbed banks because that is where the money is.  Today, the bank that holds the money is a data bank and Willie Sutton done struck again.

Boards MUST get involved, ask the hard questions and apply the resources – which means people and money – or we will continue to have more Anthems.

As I said yesterday, while the life expectancy of breached credit card data is maybe 30-60 days, a stolen social security number can be combined with other data for the rest of your life.  That makes them very interesting to the modern day Willie Suttons.


Anthem Blue Cross Hacked

I thought it had been quiet recently – apparently too quiet.

Anthem, the healthcare insurance company that operates in 14 states and is the second largest insurance company in the country, reported that it had been hacked.  Anthem operates under a lot of names including Anthem Blue Cross, a name well known in the Northeast.

According to a statement signed by Anthem CEO Joe Swedish,  the attackers did not take credit card information or healthcare information. Anthem said that possibly as many as 80 million customers, current and former, are affected.

The fact that no healthcare information was taken has to be a huge relief to Anthem’s board.  With the new HIPAA rules, the fine could possibly have been as much as 80 million records times $1.5 million fine per record.  That is $120 trillion.  Of course, they would never be assessed such a large fine or even a small percentage of that number, but that is the potential max.  Even 1/1000th of 1 percent of that number is a big number.

Another relief is the hackers did not use the Sony attack technique of thermonuclear information destruction and wipe all of Anthem’s systems.  That could have been a bit of a mess for them.  Think about an insurance company that could not pay claims for a couple of months.

What the hackers did take is names, addresses, social security numbers, email addresses, employer information and income and they did this for both current and former employees and customers.  Mr. Swedish said that it was in the tens of millions of people and maybe as many as 80 million.

They only discovered this last week, so there is probably more they don’t know than they do know, so the facts may change.  I give Anthem credit in announcing this so quickly.  For most companies, they would not even know what the hackers got after a week, so it is possible that they have a good information risk management process in place – we don’t know yet.

One question that you might ask is why the hackers stole what they did steal.  I don’t have any insider info and the FBI is investigating, along with the security firm Mandiant, but I have a thought.

When the hackers at Home Depot stole those tens of millions of credit cards – or one of the other thousands of attacks that did not make the news – some, but only some, credit card companies issued new cards.  Some of those cards are still live.  More importantly, credit card numbers by themselves don’t sell for a lot of money any more because they get turned off pretty quickly.

BUT, if besides the credit card info, you have name, address, employer, social, date of birth, etc. – what hackers call “fullz”, meaning the full credit info, it sells for a lot more.

While that won’t help the hackers much right now regarding last year’s hack of Home Depot, when the next attack comes, having a database of information on 20 percent or more of the U.S. population is a hugely financially valuable tool.  Merge this with the 75 million records stolen from Chase last year and you have a pretty nifty database.

Like healthcare information, fullz information doesn’t change anywhere as quickly as credit card information.  Are you going to change your blood type or sell your house and move because of the hack?  It is really hard to change your blood type and unlikely that you are going to move because of one.

What this means is that hackers, who are becoming good at using big data, have a great repository of information to merge with the next credit card or healthcare hack to make a whole lot more money.  And yes, hackers do work together – not so much for fun as for the collective profit, so my scenario is very realistic. That combined information makes it a lot easier for the hackers to create new credit in your name then just having a credit card number and even the PIN.

Only time will tell, but check back for updates over the next few weeks.