The first lawsuits in the Anthem hack, the nation’s largest health care breach to date, have been filed.
At least four have been launched so far, in Indiana, California, Alabama and Georgia.
The suits allege that Anthem did not take adequate and reasonable measures to ensure its data systems were protected and that the 80 million Anthem customers whose information may have been affected could be harmed.
The breach of the nation’s second-largest health insurance company was first announced Feb. 4.
It was detected on Jan. 27, according to the company. That’s when an Anthem computer system administrator discovered outsiders were using his own security credentials to log in to the company system and steal data.
The company found that unauthorized data queries with similar hallmarks started as early as Dec. 10 and continued sporadically until Jan. 27.
The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27, Binns said.
Attempts may have been made earlier in 2014, said Kristin Binns, a spokeswoman for Indianapolis-based Anthem.
Hackers gained access to a company database that included members’ names, birthdays, Social Security numbers, addresses and employment data, including income. Credit card information was not among the data stolen, Anthem said.
The hackers appear to have compromised the credentials of five different tech workers at Anthem, possibly through “phishing” e-mails that trick users into unwittingly revealing passwords or downloading malicious software.
The attack was targeted, said David Damato, managing director at FireEye, a security firm brought in to aid Anthem in analyzing the breach.
The malicious software used to break into Anthem’s network hadn’t shown up on other computer networks and doesn’t appear to have been used in recent attack attempts on other companies.
Anthem shared information about the software used to attack its network with trusted individuals at other companies “and to our knowledge” no one indicated they had seen the same malware, Damoto said.
“We also saw evidence that the attacker was interested in very specific information, in this case the database,” he said. “They did very methodical reconnaissance into the database.”
He couldn’t speak to press reports citing unnamed sources saying the attack had some attributes that might indicate it came from Chinese hackers.
“Attribution takes a lot of data. I think everyone’s just speculating. At this point in time, we’re working very closely with the FBI and we haven’t jointly provided any attribution,” he said.
Some have questioned why Anthem would have maintained a single database containing information about 80 million current and former members.
However, in the health care industry such databases are useful, said J.J. Thompson, the CEO of Rook Security, an Indianapolis-based computer security firm.
Such a large data warehouse would allow the company to do data analysis on illness hot spots, cost issues and preventive medicine.
“If I have my security hat on, I’d say ‘Never put all you eggs in one basket.’ But in the health care world, having the database could lead to better patient outcomes,” he said.
“But it should have been encrypted. I hope it was encrypted,” he said.