HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Hackers have made off with the personal information of as many as 80 million current and former members of Anthem, the number two health insurer in the United States. 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Second Largest Health Insurer In The US Hacked
- Thread starter HardOCP News
- Start date
PantherBlitz
Limp Gawd
- Joined
- Apr 14, 2011
- Messages
- 421
I think enough evidence has proven that network security is an illusion. Time to revive the sneaker net.
striker444
Gawd
- Joined
- Jan 20, 2012
- Messages
- 520
Wow, this is not something that can be easily fixed like sending out a new creditcard.
"Names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information"
You kidding me? They are gonna have a lawsuit on their hands.
"Names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information"
You kidding me? They are gonna have a lawsuit on their hands.
LOL I'm guessing they added legalese in everything you sign when enrolling for their healthcare to remove your right to start a lawsuit.
TeeJayHoward
Limpness Supreme
- Joined
- Feb 8, 2005
- Messages
- 12,271
Even if they didn't, do you think the $3.56 you'd receive from a class action lawsuit would cover the cost of your identity theft?
Ripperjack
Limp Gawd
- Joined
- Mar 26, 2010
- Messages
- 299
We use Anthem Blue Cross Blue Shield, were I work. So I alerted our HR department and now I'm going to have to keep a close eye on my bank accounts and credit cards.
Since this would be a MAJOR HIPAA violation, some high level heads ARE going to roll over this.
Since this would be a MAJOR HIPAA violation, some high level heads ARE going to roll over this.
DarkStar_WNY
2[H]4U
- Joined
- Dec 27, 2006
- Messages
- 2,363
I love how they are pushing forward that no credit card or medical information was accessed, at least as far as they know, but they don't mention that enough info was taken to get credit cards in your name.
I had Anthem until this first of this year, so as you can imagine, I'm not very happy at the moment.
DarkStar_WNY
2[H]4U
- Joined
- Dec 27, 2006
- Messages
- 2,363
We use Anthem Blue Cross Blue Shield, were I work. So I alerted our HR department and now I'm going to have to keep a close eye on my bank accounts and credit cards.
Since this would be a MAJOR HIPAA violation, some high level heads ARE going to roll over this.
Well unless actual medical information were accessed I don't think HIPPA would come into play.
- Joined
- Aug 20, 2006
- Messages
- 13,000
How the hell do you even protect yourself from identity theft these days.
Full names and socials is enough for a HIPAA violation.
SBSuperfly
Gawd
- Joined
- Feb 1, 2006
- Messages
- 865
wrong
Correct.
As an example to how tenuous is our hold on personal data:
We do some work for a local charity. This charity receives donations of all kinds, some of which is IT. About a year ago, the director of the charity brought in two PCs that had come from a local hospital, wondering if they could be refurbished for any use. I opened them up and found a couple capacitors that were bulging so I informed him they were better off being recycled. I was about to send them off to the recycler when I thought "What if there is personal data on there?" We started them up and saw that there was, in fact, patient data on both the drives of the computers. I instantly yanked the power cord and called the director of the charity and explained to him that I was looking at several hundred thousand dollars of hipaa fines.
It turns out that the person responsible for the destruction of the data didn't want the time or expense of shredding it, so they just donated it to a local charity. We called the hospital and informed them (the person we spoke to was furious, but not at us) and also called the proper authorities. We never did hear if anything was done about it. If these types of things are happening here, they are happening everywhere.
ViperGrendal
Limp Gawd
- Joined
- Jan 17, 2009
- Messages
- 403
Guess it's time to lock the credit since it seems like there is no such thing as private information any more.
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
I wonder if their policy will cover the damages
lilbabycat
2[H]4U
- Joined
- Jun 21, 2011
- Messages
- 3,810
You're wrong. Google it.
lilbabycat
2[H]4U
- Joined
- Jun 21, 2011
- Messages
- 3,810
Originally Posted by SBSuperfly View Post
"wrong"
Whoops replied to wrong person. you are correct SBSuperfly.
I got an e-mail with:
Once Anthem determined it was the victim of a sophisticated cyber attack, it immediately notified federal law enforcement officials and shared the indicators of compromise with the HITRUST C3 (Cyber Threat Intelligence and Incident Coordination Center).
Anthems Information Security has worked to eliminate any further vulnerability and continues to secure all of its data.
Anthem immediately began a forensic IT investigation to determine the number of impacted consumers and to identify the type of information accessed. The investigation is still taking place.
The information accessed includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information, including income data. Social Security numbers were included in only a subset of the universe of consumers that were impacted.
Anthem is still working to determine which members Social Security numbers were accessed.
Anthems investigation to date shows that no credit card or confidential health information was accessed.
Anthem has advised there is no indication at this time that any of our clients personal information has been misused.
All impacted Anthem members will be enrolled in identity repair services. In addition, impacted members will be provided information on how to enroll in free credit monitoring.
Anthem has created a website www.anthemfacts.com, and a hotline, 1-877-263-7995, for its members to call for more information, and has shared the attached Frequently Asked Questions (FAQs) that further explains the cyber attack.
Once Anthem determined it was the victim of a sophisticated cyber attack, it immediately notified federal law enforcement officials and shared the indicators of compromise with the HITRUST C3 (Cyber Threat Intelligence and Incident Coordination Center).
Anthems Information Security has worked to eliminate any further vulnerability and continues to secure all of its data.
Anthem immediately began a forensic IT investigation to determine the number of impacted consumers and to identify the type of information accessed. The investigation is still taking place.
The information accessed includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information, including income data. Social Security numbers were included in only a subset of the universe of consumers that were impacted.
Anthem is still working to determine which members Social Security numbers were accessed.
Anthems investigation to date shows that no credit card or confidential health information was accessed.
Anthem has advised there is no indication at this time that any of our clients personal information has been misused.
All impacted Anthem members will be enrolled in identity repair services. In addition, impacted members will be provided information on how to enroll in free credit monitoring.
Anthem has created a website www.anthemfacts.com, and a hotline, 1-877-263-7995, for its members to call for more information, and has shared the attached Frequently Asked Questions (FAQs) that further explains the cyber attack.
sliverjazz
Gawd
- Joined
- Jun 9, 2004
- Messages
- 747
I got a comp from the local goodwill. I guess it was from the local dentist office. It had about 500 hundred insurance and ss numbers ect.
SixFootDuo
Supreme [H]ardness
- Joined
- Oct 5, 2004
- Messages
- 5,825
Look, nothing is safe. Period. You are very foolish if you think anything is really protected, not shared, hardware encrypted, etc etc etc.
Let's say you have a music personality out there with HIV or movie star that will mostly likely be healthy the next decade or 15 - 20 years. Someone who is very well paid and has a long career ahead of him / her and trust me, there are many out there right now in this position.
All of a sudden, a hacker has this very personal information and contacts you in an attempt to black mail you.
This is horrible horrible news if that level of personal information was compromised.
Let's say you have a music personality out there with HIV or movie star that will mostly likely be healthy the next decade or 15 - 20 years. Someone who is very well paid and has a long career ahead of him / her and trust me, there are many out there right now in this position.
All of a sudden, a hacker has this very personal information and contacts you in an attempt to black mail you.
This is horrible horrible news if that level of personal information was compromised.
Also, the super pixelated banner image is not helping restore faith in their technical prowess.
Hah I thought the same thing. It was probably the only picture they could find of him that didn't make him look like an unapologetic smug asshole.
DarkStar_WNY
2[H]4U
- Joined
- Dec 27, 2006
- Messages
- 2,363
I saw a story a few years ago in which the news station, I think it was CBC, bought 5 old copiers and were able to pull thousands of documents off their hard drivers, one was from a police station and actually still had personnel documents sitting on the scanning bed.
DarkStar_WNY
2[H]4U
- Joined
- Dec 27, 2006
- Messages
- 2,363
Oh how I wish this forum had an edit button.
Sp33dFr33k
2[H]4U
- Joined
- Apr 20, 2002
- Messages
- 2,481
With all of these hacks and compromised sites I'll probably get free credit monitoring forever.
Ride that gravy train!
lilbabycat
2[H]4U
- Joined
- Jun 21, 2011
- Messages
- 3,810
"We noticed you've been monitoring your credit for an excessively long amount of time for someone who is only a middle class peon, therefore we've deducted 75 points from your credit score"
TwistedAegis
[H]F Junkie
- Joined
- Oct 7, 2009
- Messages
- 8,958
Honestly, we need a whole new identity paradigm somehow. I'm not sure how to reconcile it with personal liberty, do not track, etc...but the whole SSN thing was not designed for the computer age, and working in finance, identifying people is a huge PITA, particularly when the data for pretty much most Americans is available for purchase.
Shit, half the time the fraudsters can jump through the ID hoops easier than real people, because they have all the data in front of them, vs a real person trying to remember some of it off the top of their head.
Shit, half the time the fraudsters can jump through the ID hoops easier than real people, because they have all the data in front of them, vs a real person trying to remember some of it off the top of their head.
bmellis1984
Weaksauce
- Joined
- Feb 9, 2012
- Messages
- 97
Yeppers, Thumb Drive in hand..... Crap they beat me up an took it. Old School hacking.
A better, more technical, report on the attack:
http://www.nextgov.com/cybersecurity/threatwatch/2015/02/breach/2013/?oref=TW_hp_module
http://www.nextgov.com/cybersecurity/threatwatch/2015/02/breach/2013/?oref=TW_hp_module
crusty_juggler
[H]ard|Gawd
- Joined
- Feb 11, 2014
- Messages
- 1,241
What will stop these corporations and businesses from using lackadaisical security practices? This is getting ridiculous.
Because SSN's can be an patient identifier, disclosing it is NOT a HIPAA violation. This is why it was fine for insurance companies to issue insurance cards with your SSN on it. It may violate some state and more recent federal laws but it's not a violation of HIPAA.
This is why we host no data outside of our LAN/WAN on external providers. Way too many national security risks.
I got this email too. I think these companies should get fined like copyright violations - $50k for every single person whose data is compromised. It's simply cheaper to pay for credit monitoring AFTER an attack than to implement hardened network and data security practices BEFORE one.
Who says that it was bad practices? They could have cutting edge security and it can all be rendered useless because someone clicked on a phishing link or someone doxxed enough information about an admin to trick someone into switching a password.
Guarantee they don't have cutting edge security if they don't notice 80 million records being accessed. That's like your whole house being emptied out by a thief and only noticing it when they take the lightbulbs.
TeeJayHoward
Limpness Supreme
- Joined
- Feb 8, 2005
- Messages
- 12,271
Or it could have even been malicious. Maybe a former admin caught wind that he was going to get fired, and worked alongside the black hats for monetary reward.
LightningCrash
2[H]4U
- Joined
- Dec 29, 2000
- Messages
- 2,470
Agreed, they should have been able to detect the sysadmin's ID accessing the records and put a stop to it.
They do kind of describe it that way though, so there's that.