In 2015, the Office of Civil Rights (OCR) recorded that US providers were affected by 253 medical data breaches, equivalent to 112m records.
The bulk of those records came from Anthem. In February 2015, Anthem confirmed that it had been bled for an estimated 80m patient records, including names, taxpayer IDs, birthdays, health care ID numbers, street addresses, email addresses, and employment data that included income – a veritable toolkit for identity theft.
As it turned out, the massive data breach exposed sensitive data on not only Anthem customers: it also dragged in data from non-customers, in the form of patient records for 37 independently operated Blue Cross Blue Shield member companies that were also involved in the breach.
The breach was later determined to have originated from a single malicious email opened by one person. And though it turned out to be a little less than the first estimate, at 78.8m breached records, it still dwarfed that year’s next-biggest medical data breaches, with 11m breached at Premera and 10m from Excellus.
But then, many superlatives adhere to Anthem: it’s the largest health insurance company in the US, it’s lost the most medical records, and now it’s looking at the possibility of having to cough up the largest data breach settlement in history.
Plaintiffs’ counsel on Friday announced that Anthem’s agreed to pay a $115m settlement over the breach.
The settlement still has to be approved by US District Court Judge Lucy Koh, who’s scheduled to hear the case on August 17.
If approved, the money will go toward at least two years of credit monitoring for victims, will cover out-of-pocket expenses incurred by consumers as a result of the data breach, and will provide cash compensation for those people who are already enrolled in credit monitoring.
Beyond funds for the victims, the settlement also requires Anthem to keep up a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.
From plaintiffs’ counsel:
The settlement is designed to protect class members from future risk, provide compensation, and ensure best cybersecurity practices to deter against future data breaches.According to a report (PDF) on the Anthem breach conducted by seven state insurance commissioners, as of January, Anthem was already spending more than $260m on significant security-related measures.
The report says that Anthem’s security enhancements have included implementation of two-factor authentication (2FA) on all remote access tools; deployment of a privileged account management technology; additional, enhanced logging resources to its security event and incident management tools; a complete reset of passwords for all privileged users; suspension of all remote access pending implementation of 2FA; new network administrator IDs to replace the existing IDs; and additional monitoring technologies for critical databases.
According to the insurance commissioners’ report, the data breach began on Februay 18 2014, when a user at one of Anthem’s subsidiaries opened a phishing email containing malware. In other words, the attackers apparently had access to the data for about a year. That’s a lot of time to inflict a lot of damage, and that’s exactly what happened.
Once the computer was infected – the report fingered a nation state but didn’t identify which one – the attackers gained remote access to it and dozens of other systems within Anthem. They moved laterally throughout the IT infrastructure, getting into critical databases and exfiltrating data without being detected.
In fact, according to the report, the attackers ratcheted it up all the way into Anthem’s data warehouse:
No comments:
Post a Comment