Anthem Grossly Negligent: 79 Million Unencrypted Records Stolen

Anthem Blue Cross, Denver

  • Local Grandmother at Risk
  • They Took Everybody’s Digits, But No Risqué Selfies
  • Anthem: Sorry, Protecting Your Data is aHassle
  • Eight Steps You Can Take Since Anthem Can’t Be Trusted
  • Security That Isn’t Pathetic

Local Grandmother at Risk

Hacks are never good news for the individual. Clearly those of us who are spending a lot of time online can be concerned about loss of our passwords, but what’s really critical isn’t the key but what’s inside – all that PII (personally identifiable information). Obviously we’re more at risk if we have our data stored in more online locations, but our information is in the computer networks of the government and our service providers regardless.

Let’s say, for example, that you are a 79-year-old woman who has never set up a web account, preferring to stay up all night quilting, listening to Amos ‘n’ Andy, and making your way through a never-ending supply of groceries that you purchased in 1979. However, you have a Medicare supplemental policy from Anthem.

You are on the grid, and you have just been hacked. Coincidentally, given your age and the sell-by date on all the food you eat, you are actually among 79 million violated users.

They Took Everybody’s Digits, But No Risqué Selfies

According to nonprofit consumer information site Consumerist, Anthem was hammered late February 4 by a breach in which hackers absconded with 100% of their user data: “The purloined personal information includes names, dates of birth, social security numbers, street addresses, e-mail addresses, employment information, and income data.”

The theft doesn’t just impact Anthem customers but its employees as well. Even non-customers had their data stolen in some cases – basically all the accounts and personal data the insurer had on file.

Sadly, it was all just a bunch of boring numbers and words, not one nude celebrity photo.

What else wasn’t taken in the hack?

  • Medical Records
  • Payment Data
  • Recipes for Chicken Pot Pie
  • Videos of cats riding skateboards and wearing sunglasses.

Anthem is the #2 health insurance provider in the United States: 38 million people are covered under its policies, many of them on the Blue Cross Blue Shield label (a brand controlled by the company in 14 states).

Many companies have been embarrassed in recent years when outside parties announced infiltrations publicly, with no prior knowledge by the corporation. Anthem noticed this breach, subsequently contacting the FBI and hiring an outside security firm to assess the damage.

The information that was taken belonged to approximately 65 million clients and employees, essentially everyone who was in their system from 2004 forward. Some information belonged to Blue Cross Blue Shield customers from other states who had used the Anthem network.

Disturbingly, there was also a bunch of random data in there from 14 million people, non-customer data that perhaps had been shared with the insurer. Who are those individuals? Who knows? Anthem doesn’t, at least not as of February 28.

Anthem, caught with its pants down, is offering us roses: two free years of an identity-monitoring plan.

Anthem: Sorry, Protecting Your Data is a Hassle

Hopefully Anthem gets body slammed by federal investigators and lawsuits. Certainly, they did not bother to encrypt their data because that’s a hassle. Translation: Anthem is too busy making money to be bothered with the superfluous concern of security. That news makes it clear that the insurer was grossly negligent and should not have been entrusted with anyone’s information in the first place.

A kind lady who cares about you and your children on behalf of Anthem told the Wall Street Journal that actually the company was incredibly responsible. When your data is stored with them, it isn’t encrypted, sure. However, when they move it around, it is. When the information is at rest, the insurance carrier uses “other measures, including elevated user credentials, to limit access to the data when it is residing in a database.”

That’s comforting. In other words, they have an SSL certificate for their site so data isn’t stolen when it moves around. SSL certificates can be self-signed – a.k.a. free – or purchased for about $9, so the company is sparing no expense. Those other measures mentioned above are critical, too – sounds like two-factor authentication, which many Joe Schmoe’s have on their Facebook accounts.

Eight Steps You Can Take Since Anthem Can’t Be Trusted

Here are a few quick steps you can take, as suggested by Violet Blue of ZDNet:

Step #1 – Credit bureau security freezes & fraud alerts

Note that there are two steps you can take with the credit bureaus – the freeze and the alert. A freeze costs money with each bureau both to freeze and unfreeze your account.

Freeze Links:

Alert Links:

Security That Isn’t Pathetic

Like Anthem, cloud providers often have terrible security. We don’t. Our three datacenters are audited to meet the strict standards of the American Institute of CPAs, through its SSAE 16, Type II standard. Try cloud minus the confusion.

By Kent Roberts

Free Use image via Wikipedia