Data breach fail at AnthemHealth: an inadvertent ‘inside job’ (updated)

US health insurance giant AnthemHealth, which had a data breach of reportedly up to 80 million beneficiaries [TTA 6 Feb], was an inadvertent ‘inside job’. The Associated Press reported that the credentials of at least five employees were used to access information, at least one of whom was an administrator who viewed his credentials being used to query the data warehouse. It’s easier than you think to get them. In an analysis published by security firm Tripwire and also in MIT Technology Review, the writer Ken Westin outlines how easy it is to find that the Anthem warehouse is TeraData, and to match up employees engaged with it, through using public employee profiles on places like LinkedIn and job postings. Then it’s deductive to find exact email addresses (find the pattern–lead generation companies building business contact lists do this all the time) and send these key employees phishing emails where the ‘sophisticated software’ used in the breach would be designed to evade standard anti-virus programs. The key problem was a lack of additional authentication to gain data warehouse access; “Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls,” not TeraData’s software or security.

This adds to the lack of encryption of customer data not shared outside the TeraData database (which falls into a HIPAA loophole) and also to the lack of compartmentalization of that data for extra security.

That personal data, not health data, is a treasure beyond compare for hackers: “Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x in price on the black market,” says Martin Walter, senior director at RedSeal.” For starters. (NetworkWorld)

Data security is key to the reality and perception of patient privacy–and it remains a major concern by executives in mHealth’s expansion because of the tons of additional patient data it generates. See the Economist survey reviewed earlier this week.

But the last word on this may be that “it shows, experts said, almost any organization can be violated by a persistent and well-resourced hacker.” Their chief information security officer was also rated by industry experts as “one of the best in the field”, serving on the board of healthcare cyber clearinghouse HITRUST, being asked to comment on administration cybersecurity efforts. POLITICO’s Morning eHealth last Friday

Other updates: Anthem customers have already been alerted to ‘scam emails’. (HealthITSecurity) The M.O. is Chinese, according to Bloomberg. The National Association of Insurance Commissioners (NAIC) is investigating, with California, Indiana and Maine taking the lead. Congress is getting into the act, with Energy and Commerce Committee Chair Fred Upton (R-Mich.) and his committee meeting with Anthem and two Senators announcing data security initiatives. iHealthBeat

Categories: Latest News.