One of the largest health insurer in the US, Anthem, revealed on Wednesday that one of its IT systems suffered a breach, resulting in compromise of employee and customer details which include income data. The Indianapolis-based insurer, which operates Blue Shield and Anthem Blue Cross in Maine, set up a special web page addressing the attack.
This breach could be the biggest affecting the healthcare industry and adds to a long list of firms that have suffered damaging data breaches last year. The company said hackers did not steal information related to medical claims, but managed to collect medical identification numbers, along with email addresses, addresses and Social Security numbers, which can be used to conduct medical fraud.
Victims of the data breach include the insurer’s more than 312,000 existing customers and above 800 employees in Maine. In Maine, the insurer is the largest, responsible for handling health care plans for major companies.
Rory Sheehan, company spokesman, said in a statement:
“No credit card information was compromised, nor is there evidence at this time that medical information such as claims, test results or diagnostic codes were targeted or obtained.”
The insurer, upon learning about the attack, took immediate steps to close the security vulnerability, started cooperation with the bureau’s investigation, and contacted the FBI.
Blue Shield and Anthem Blue Cross in Maine will notify current and ex members whose information was accessed individually. According to the Maine Department of Professional and Financial Regulation, the notifications should be made within couple of weeks.
The records stolen are quite valuable to cyber criminals. A healthcare record can be worth $50 and above in the underground market, which is a lot compared to credit card records, that are generally sold for a dollar or two.
The news of the breach is further generating phishing scams, in which criminals are posing to be from the firm in order to get people to sign up for bogus credit protection scheme and provide personal details in the process.
Customers have been told not to send any information, and if the customers whose information was stolen suspect identity theft, they should report it at www.ic3.gov (to FBI’s Internet Crime Complaint Center).
The stolen information is also ideal for identity theft like income tax return fraud, in which adversaries use stolen information to file false tax returns with IRS. Maine physicians have already suffered such a scam last year. Such a scam causes billions of dollars to the US Treasury in fraudulent refund payouts. All that’s required to conduct such a scam is the name and social security number of the taxpayer.
Records can also be used by criminals to conduct insurance and billing scams involving fake medical claims.
What needs to be done?
Customers need to put a fraud alert or security freeze in several places, and by putting a freeze on credit alert, hackers pretending with social security numbers won’t be able to get the information. However, a security freeze is free only to identity theft victims, and will cost $10 to those who are not a victim. The other thing that customers can do is avoid clicking on links in emails claiming to provide credit protection services or other information related to the breach.
For health insurers, threat intelligence systems with data breach notification can provide behind the scenes protection. Such solutions will provide real-time threat reports which signify if they have been breached or may be breached in the future. Some companies will also provide features to stop bad actors from exploiting an insurer’s system vulnerabilities again.