Anthem's Stolen Customer Data Not Encrypted

[CommanderFrank]

More bad news for the customers concerning Anthem’s hack from earlier this week. Anthem’s CEO Joseph Swedish made the announcement on Friday that none of the personal information of the 80 Million or so employees and members was encrypted. It’s amazing that huge corporations like Anthem don’t feel it’s important to divulge all of the facts up front.

The HIPPA ruling recommends using encryption if the health insurer believes it's an appropriate measure to mitigate risk. But lacking a specific requirement essentially leaves it up to each company to decide how to protect its data.

 

[Megalith]

How many people will get fired over this, and how big of a raise will the CEO get for doing so?

 

[Xinmosni]

Wow.... just wow @ the utter fucking stupidity.

ALL of the upper management dealing with IT security deserve to be insta-fired over this.

 

[Jehuty]

Probably gonna be worse than just people being fired.

HIPPA was made specifically for this kind of thing.

They're gonna have the government go after them big time. I'd bail out of that ship if I were anyone working there.

 

[Jutsu]

You would be amazed at how many companies operate like this, or disregard IT Security all together. This is mostly because the people in charge of the money don't perceive the threats that could happen and how they relate to costs or damages.

The company I work for covers over thousands of employees with Anthem. I could not believe the reaction the HR department had against our IT department this week. Even though Anthem was hacked you would have thought our company itself was hacked.

This is all despite the fact that our ISAT group has been asking for more budgeting and staffing for the last 5 years. To keep up with Zero day threats and keep up with ever changing PCI and HIPPA compliance... Maybe now they will listen

 

[Gman1979]

Probably gonna be worse than just people being fired.

HIPPA was made specifically for this kind of thing.

They're gonna have the government go after them big time. I'd bail out of that ship if I were anyone working there.

Sadly HIPPA only recommends encryption, it doesn't require it. They left a loophole in the law to allow companies to decide for themselves whether encryption is needed on medical information they store.

 

[nutzo]

Maybe they should be punished by forcing them to actually honor insurance claims instead of just denying them by default, and then making you wait 30-60 days while they "review" the claim.
(speaking from experience)

 

[Jehuty]

Sadly HIPPA only recommends encryption, it doesn't require it. They left a loophole in the law to allow companies to decide for themselves whether encryption is needed on medical information they store.

I had just read up on that.

Sadly this will be largely downplayed by the media and the government will likely take little if any action against them because they're so big. It's sad when you realize it's going to get much, much, much worse before people in charge get a clue, and then it's going to be too late.

As someone else mentioned early -- companies will be looking at IT depts and punish them while still denying the growth and support they need.

 

[sfsuphysics]

So new laws that put companies at fault if customers/employees have THEIR information compromised in 3....2.... er who am I kidding they'll never do anything like that.

 

[-PK-]

Probably the one area of the industry where a bandwidth cap could make sense and is never used.

 

[dr.kevin]

ok Anthem, you fucked me on this.

You owe me free health care for the rest of my life. Including the most expensive name brand drugs.

 

[heatlesssun]

So new laws that put companies at fault if customers/employees have THEIR information compromised in 3....2.... er who am I kidding they'll never do anything like that.

You might be surprised though at how proactive some places are becoming . About half of my job now as a developer at a mega bank is security related. Not saying it's perfect but the corporate culture has become paranoid over the issue.

 

[rat]

Probably gonna be worse than just people being fired.

HIPPA was made specifically for this kind of thing.

They're gonna have the government go after them big time. I'd bail out of that ship if I were anyone working there.

Just wait until the Libhurrrtarian neckbeards chime in and say we don't need regulations because the free market would have solved this problem ages ago.

 

[Parmenides]

You might be surprised though at how proactive some places are becoming . About half of my job now as a developer at a mega bank is security related. Not saying it's perfect but the corporate culture has become paranoid over the issue.

lies, you work for Microsoft, in the marketing department, no?

 

[Romale23]

I literally just wrote my congressman and the short story was: require anything with a social security number to be encrypted period.

 

[gossipninja1]

Just wait until the Libhurrrtarian neckbeards chime in and say we don't need regulations because the free market would have solved this problem ages ago.

I mean it could be argued if we had a free market, healthcare would pretty much require being affordable, which could have removed the insurance company from the equation all together.

However if could be argued that if healthcare co's couldn't make worthwhile profits, many life savings procedures/devices would not have been built.

So any "what if" game could come to whatever conclusion someone wanted.

I don't know too many <strike>strawmen</strike> libertarians who are against ALL regulation, just heavy regulation, which of course if up for debate what does and does not count as heavy

 

[Exavior]

I literally just wrote my congressman and the short story was: require anything with a social security number to be encrypted period.

Years ago we were told that SSN shouldn't be used as a form of identification of a person, not because it isn't good practice to ask a customer their SSN but because SSN's were not private information and was something that anyone could have for a person.

Which I guess I can't really argue with. You have to give it out all the time for the simplest of things so probably really can't consider it private Evan Google demanded a copy of my SSN and birth certificate in order to allow me to make a google+/youtube account.

 

[lilbabycat]

As someone who is intimate with the common hospital-level patient data security, HIPPA requirements, and patient monitoring equipment software; I can tell you that stealing an entire hospital's records would be a cakewalk. If that system is networked for an entire hospital system/conglomerate, you've basically won the jackpot, and half a state's worth of info.

The security measures used amount to simple passwords and "security through obscurity". Your data could be taken easily, given someone moderately knowledgeable.

 

[Terpfen]

Hey guys, if you want to seem like more of an authority on the law, try spelling it correctly. HIPAA, not HIPAA. Two As, not two Ps. It's HIPAA, not a modified hippopotamus.

Just wait until the Libhurrrtarian neckbeards chime in and say we don't need regulations because the free market would have solved this problem ages ago.

As opposed to the regulation that already exists? Yep, the law did a bang up job making sure this never happened. You must get headaches from all that cognitive dissonance.

 

[Jagger100]

Just wait until the Libhurrrtarian neckbeards chime in and say we don't need regulations because the free market would have solved this problem ages ago.

The situation is already regulated. they are required to encrypt their stored data. Success!!!!! Oh, wait.....

If there was a market, I could switch insurance companies in a practical way and they lost10-20% of their customers over this, it would punish them more than the government will.

 

[mls1995]

About 6 years ago I was hoping to work for them. I sure dodged a bullet there

 

[ianken]

Sadly HIPPA only recommends encryption, it doesn't require it. They left a loophole in the law to allow companies to decide for themselves whether encryption is needed on medical information they store.

And we all know what requiring it would be : "job killing regulation"

 

[Spidey329]

I don't see how encryption isn't standard practice for every major information store.

And we all know what requiring it would be : "job killing regulation"

I assume that was sarcasm. The flip side is that it'd fuel jobs in the companies dealing with the software/hardware/services that facilitate massive amounts of encrypting/decrypting.

 

[Coldblackice]

ok Anthem, you fucked me on this.

You owe me free health care for the rest of my life. Including the most expensive name brand drugs.

Yeah, right. Try 1-year free credit monitoring on them.

(...that hacked companies even offer such a thing infuriates me -- "Hey, we done messed up, but we'll make it right by subbing you to a service so you can watch the precise moment when your entire identity is stolen out from under you because of us! LOL! You're welcome!")

I literally just wrote my congressman and the short story was: require anything with a social security number to be encrypted period.

Keeping your social security number "secret" is an entirely lost cause. I could get yours in ten minutes if I wanted to. Any unique, non-changing number attached to a person for identity is only a matter of time before it's ganked.

Google demanded a copy of my SSN and birth certificate in order to allow me to make a google+/youtube account.

What ze helll? When did Google start asking for that?? I've never had to show Google either of those, nor would I -- especially for a Google+ account, lol. C'mon man, you're worth more than that

Hey guys, if you want to seem like more of an authority on the law, try spelling it correctly. HIPAA, not HIPAA. Two As, not two Ps. It's HIPAA, not a modified hippopotamus.

Lol, seriously dude? When correcting others' spelling on the interwebz, the first thing you always do is triple-check your own spelling before posting, even if it's a misspelling of a misspelling. A rookie mistake.

 

[Terpfen]

Lol, seriously dude? When correcting others' spelling on the interwebz, the first thing you always do is triple-check your own spelling before posting, even if it's a misspelling of a misspelling. A rookie mistake.

So, wait. There's actually a person out there somewhere, sitting at his computer, who thought it was a good idea to dispense tactical advice on the optics of correcting names? Really?

I've seen it all.

 

[mope54]

HIPAA mandates that Personal Health Information be protected adequately and if there is a vulnerability then it needs to be addressed. That is, while it doesn't explicitly require encryption it does in practice unless the holder can demonstrate why it shouldn't have to.

Anthem is going to be in it deep for this oversight you can bet on that.

 

[amddragonpc]

"Rogue IT"'s finest hour! Just because that dumbass CEO can open a spreadsheet, he thinks he knows computers and IT.

 

[Biznatch]

I literally just wrote my congressman and the short story was: require anything with a social security number to be encrypted period.

Well anthem just wrote your congressman a check for XXXXXXXX$ that said more will be coming if you don't change the regulations, and asked them to lobby for leniancy on this breach. I mean they are so big, a large fine would hurt them and they don't want that....

 

[Terpfen]

Well anthem just wrote your congressman a check for XXXXXXXX$ that said more will be coming if you don't change the regulations, and asked them to lobby for leniancy on this breach. I mean they are so big, a large fine would hurt them and they don't want that....

There's already legislation and regulation in place. It didn't work. More of something that didn't work isn't the answer.

 

[Methadras]

How many people will get fired over this, and how big of a raise will the CEO get for doing so?

No one will get fired. Well, the bullshit will roll down hill and the some data goon will get the shaft. Everyone else will get a raise and promotion.

 

[Biznatch]

There's already legislation and regulation in place. It didn't work. More of something that didn't work isn't the answer.

I love how everything gets lumped in 'regulation' and regulation bad *grunt*! It didn't work because it was 'regulations', it was because it's poorly written/filled with loopholes. Also, they *should* get fucked so hard, with a number so big for this violation, that no other companies will want to risk that and will hopefully take another look at their own security.

But we all know this is going to be a corporate/government cirlce jerk, and they will get a slap on the wrist with a some silly little 50million dollar fine, which is pocket change for that company.

 

[dr/owned]

Where's the good ole days when the CEO would commit suicide over something like this? Nowadays he'll probably get "punished" by only getting 70% of his 20M yearly bonus instead of 100%.