Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

Four Years Later, Anthem Breached Again: Hackers Stole Credentials

The second largest healthcare insurance provider, Indianapolis-based Anthem Inc., recently reported a data breach affecting 80 million customers and employees, the Wall Street Journal stated. The breach itself occurred mid-December, 2014, but wasn’t discovered until the end of January 2015.

How did they do it? It was revealed that hackers were able to somehow obtain the access credentials to an Anthem database, as Anthem’s CIO told WSJ. And as the Associated Press reported, hackers were able to steal the credentials of five different technical employees during their attack.

The company reports that no medical or financial information was exposed, but their names, birthdates, medical IDs, Social Security Numbers (SSNs), physical addresses, email addresses and employment information (including income) were breached. Anthem offers Blue Cross Blue Shield insurance with office locations in California, Colorado, Connecticut, Indiana, Maine, Ohio and many other states; and insures one in nine Americans, according to CSOonline.com.

Data breaches revealed last year put this particular healthcare breach near the top when it comes to the most records breached - Target’s breach affected 40 million, Home Depot - 56 million, and JPMorgan Chase topped it out at 76 million.

A History of Database Security Problems

However, this isn’t the first major data breach for the company. Anthem was also formerly known as WellPoint, which might ring a bell for those that have been following the healthcare data breach headlines for a few years now. In July 2013, WellPoint was fined $1.7 million by the Dept. of Health & Human Services (HHS) after the company violated HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance in 2010.

In that case, a ‘security weakness’ in an online application database rendered over 600,000 records containing electronic protected health information (ePHI) publicly accessible online. The lawsuit brought against the health insurer by the federal government claimed that WellPoint didn’t have technical safeguards in place to verify the identity of users accessing the data in their application database; suggesting they had poor access and authentication security in place at the time.

In the 2010 incident, hundreds of thousands of medical and personal records were leaked online. While the most recent incident leaked only personal information, not medical (therefore, they’re not within scope of HIPAA, as HIPAA only sets standards for protected health information) - the breach was very clearly a direct attack by an external entity as opposed to an oversight in database security.

However, It would appear that the company has trouble securing its databases containing sensitive information. Anthem’s CIO told the WSJ that they first detected the attack when a systems administrator noticed that a database query was sent using his identifier code, although he hadn’t initiated it. That suggests that a hacker had gained legitimate access via system administrator credentials - signifying a potential phishing or other credential-stealing attack.

In immediate remediation, the CIO reported that Anthem has reset all employee passwords with privileged access to its data systems, and blocked access that involves only one password. But that doesn’t really address password-targeted attacks, including social engineering efforts, such as phishing emails. And it certainly doesn’t address repeated phishing attacks against employees or customers.

Phishing Scams Target Anthem Customers

And it would appear as though Anthem victims are already being targeted in phishing scams launched hours after the breach announcement, as KrebsonSecurity.com reports, suggesting that the data has already fallen into the wrong hands. Seeking to exploit the incident to steal financial and personal data from Anthem customers, phishers have sent out emails with a link persuading users to “click here to get your free year of credit card protection.” They’re also calling cold-calling customers as part of the scam.

Anthem stated that any legitimate notifications from the company will be sent only via postal mail. In an FAQ about the breach, they also added a note about scams:

Q: I think I received a scam email related to Anthem's cyber attack?

A: Members who may have been impacted by the cyber attack against Anthem, should be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.

DO NOT click on any links in email.
DO NOT reply to the email or reach out to the senders in any way.
DO NOT supply any information on the website that may open, If you have clicked on a link in email.
DO NOT open any attachments that arrive with email.

Two-Factor Authentication Protects Administrator Access

As CSOonline.com stated, phishing attacks bypass a number of security controls, including encryption, and they are often the easiest and most successful ways to get access and data:

...while the attackers could have used Java, Windows, or Adobe vulnerabilities, the fastest way to obtain credentials is to ask for them, which is exactly what Phishing does in most cases.

Between Google, LinkedIn, Facebook, and various posts across the Web, it wouldn't take long to develop an email scheme that would eventually lead someone within Anthem's technology group to reveal their credentials.

The CSO article also speculates about the use of two-factor authentication within Anthem’s internal systems. If the attack was carried out as the result of using a single password, their access security wasn’t up to industry standards.

Two-factor authentication may have thwarted attacks by requiring the use of a personal device to verify the identity of a system administrator or other technical employee with access to their database of millions of sensitive records. It’s considered best practice for any type of company with sensitive data, and it’s rather revealing of the security health of the healthcare industry if the second-largest health insurer didn’t have it in place.

Learn more about modern attacks against any organization and new solutions by downloading our free eBook - A Modern Guide to Retail Data Risks.

Or, join our webinar this Wednesday, February 11 at 2pm EST: How to Secure Your Healthcare Data Without Disrupting Clinician Workflow, to learn:

  • Why healthcare organizations are vulnerable to attacks
  • Trends in methods of exploitation used by hackers
  • How to evaluate two-factor solutions on usability, deployability and security