Emails from America’s second largest insurance company, Anthem, arrived in peoples’ inboxes today reporting a massive “very sophisticated external cyberattack,” wrote Anthem president and CEO Joseph Swedish; Swedish was also a victim of the attack. Personally identifiable information (PII) belonging to as many as 80 million past and current customers across 14 states may now be in the hands of the attackers. When more details are reported, this will likely be one of the largest data breaches in U.S. history and perhaps the largest ever in the healthcare industry.
Exposure of PII, such as social security numbers, names, birthdays, and addresses, is enough to put customers on edge. Anthem noted that payment card data and medical information was not accessed in this breach, thus avoiding HIPAA compliance violations. This would indicate that Anthem exercised excellent judgment creating separation between critical data assets.
Anthem also demonstrated exemplary best practices by quickly notifying the FBI that it had detected suspicious network activity. Anthem clearly had a plan in place to follow. As with most crimes, the quicker an investigation begins, the better the chances of identifying the culprits, what happened and how it may have been prevented. That will continue to unfold as the investigation moves forward.
As Mr. Swedish described, this was a very sophisticated attack and there will be more like it in 2015. The best defenses still begin with the basics:
- Restrict data access to only those employees who need it
- Screen personnel that have access to PII and other critical data
- Train employees to effectively protect data and to respond in the event of a data breach
- Keep information systems and anti-virus software up to date, and operating systems and applications properly patched
- Encrypt important data to prevent access by unauthorized parties
Events like this serve to reinforce the fact that data breaches are a fact of life for everyone. Healthcare will continue to be a primary target due to the extent of private information contained in patients’ records. Like the Target Stores and other major breaches in 2014, lessons will be learned as to how we can better protect ourselves against future attacks, take necessary defensive measures and prepare ourselves to respond quickly when future events occur.