First Lawsuits Launched in Anthem Hack

The first lawsuits in the Anthem hack, the nation’s largest health care breach to date, have been filed.

At least four have been launched so far, in Indiana, California, Alabama and Georgia.

The suits allege that Anthem did not take adequate and reasonable measures to ensure its data systems were protected and that the 80 million Anthem customers whose information may have been affected could be harmed.

The breach of the nation’s second-largest health insurance company was first announced Feb. 4.

It was detected on Jan. 27, according to the company. That’s when an Anthem computer system administrator discovered outsiders were using his own security credentials to log in to the company system and steal data.

The company found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27.

The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27, Binns said.

Attempts may have been made earlier in 2014, said Kristin Binns, a spokeswoman for Indianapolis-based Anthem.

Hackers gained access to a company database that included members’ names, birthdays, Social Security numbers, addresses and employment data, including income. Credit card information was not among the data stolen, Anthem said.

The hackers appear to have compromised the credentials of five different tech workers at Anthem, possibly through “phishing” e-mails that trick users into unwittingly revealing passwords or downloading malicious software.

The attack was targeted, said David Damato, managing director at FireEye, a security firm brought in to aid Anthem in analyzing the breach.

The malicious software used to break into Anthem’s network hadn’t shown up on other computer networks and doesn’t appear to have been used in recent attack attempts on other companies.

Anthem shared information about the software used to attack its network with trusted individuals at other companies “and to our knowledge” no one indicated they had seen the same malware, Damoto said.

“We also saw evidence that the attacker was interested in very specific information, in this case the database,” he said. “They did very methodical reconnaissance into the database.”

He couldn’t speak to press reports citing unnamed sources saying the attack had some attributes that might indicate it came from Chinese hackers.

“Attribution takes a lot of data. I think everyone’s just speculating. At this point in time, we’re working very closely with the FBI and we haven’t jointly provided any attribution,” he said.

Some have questioned why Anthem would have maintained a single database containing information about 80 million current and former members.

However, in the health care industry such databases are useful, said J.J. Thompson, the CEO of Rook Security, an Indianapolis-based computer security firm.

Such a large data warehouse would allow the company to do data analysis on illness hot spots, cost issues and preventive medicine.

“If I have my security hat on, I’d say ‘Never put all you eggs in one basket.’ But in the health care world, having the database could lead to better patient outcomes,” he said.

“But it should have been encrypted. I hope it was encrypted,” he said.

Source Link

Recommended Articles

Lawmakers, Payers And Providers All Air Grievances With Federal No Surprises Act Implementation

Amid a flurry of partisan roadblocks rolling out across Capitol Hill, representatives on both sides of the aisle came together Tuesday to critique federal agencies’ rollout of the No Surprises Act and throw their support behind court-ordered rewrites of independent dispute resolution (IDR) regulations. During a hearing exploring the “flawed implementation” of the law intended ...

Read More

As Biden Plans To Ban Medical Debt From Credit Scores, Advocates Press For More Change

The dramatic impact of medical debt on credit scores may soon be a thing of the past. On Thursday, the White House announced a plan outlined by the Consumer Financial Protection Bureau (CFPB) to eliminate medical debt from credit reports. The move — which follows an earlier decision from the three main credit bureaus to eliminate paid medical debt, medical ...

Read More

Compliance With The CAA’s Gag Clause Prohibition

The Consolidated Appropriations Act (CAA) of 2021 made a number of federal changes to the U.S. health care system, with the goal of increasing transparency. One of the most immediate changes was the prohibition of gag clauses in contracts between insurance plans, insurance issuers, and providers. Gag clauses are contractual provisions that restrict plans or ...

Read More

Answers To Q4 Frequently Asked Questions

Throughout the year, especially during Q4, we know you are bound to have questions about Underwriting, Client Experience, Enrollment, and Compliance. That’s why we’ve compiled this list of the most frequently asked questions (FAQs) during peak season.

Read More