The Anthem data breach in 2014–2015 was the largest healthcare data breach ever. But healthcare cyber security has improved since then.
The data breach of healthcare giant Anthem, which came to light a little more than four years ago, exposed about 79 million patient records. It was the biggest single compromise of healthcare data in history.
It still is—which is good news regarding the security of patient data held by healthcare organizations. No single breach since then has been worse. The Anthem data breach pushed the total number of records exposed in 2015 to 112 million, and no year since then has seen anything close. However, the number of breaches has increased, from the 250 range to more than 350 most years. So it would be hard to label Anthem a wake-up call that changed the world of healthcare data security.
The breach of the Indianapolis-based health insurer formerly known as WellPoint—the largest for-profit company in the Blue Cross and Blue Shield Association—compromised the electronic health records of nearly 79 million patients. Data included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
And it began the way so breaches many do—with a phishing email.
According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), hackers sent phishing emails to an Anthem subsidiary. At least one employee responded. Attackers were able to plant malware on the company’s system and gain remote access to confidential information.
Investigators found that the advanced persistent threat (APT) attack began Feb. 18, 2014. The exfiltration of data began Dec. 2, 2014, and continued until it was discovered Jan. 27, 2015. Anthem publicly acknowledged the data breach in early February. Investigators said the sophistication of the attack pointed to a nation-state.
As recently as last fall, Anthem has said it has found no evidence of identity theft stemming from the attack.
And an investigation by the California Department of Insurance concluded that Anthem took “reasonable measures” to protect its data before the data breach and had employed a remediation plan to respond to the breach.
“The team noted Anthem’s exploitable vulnerabilities, worked with Anthem to develop a plan to address those vulnerabilities, and conducted a penetration test exercise to validate the strength of Anthem’s corrective measures,” the department said in its statement. “As a result, the team found Anthem’s improvements to its cybersecurity protocols and planned improvements were reasonable.”
But the OCR’s investigation found differently. That investigation concluding that Anthem had failed to perform a number of security activities, including these:
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director Roger Severino.
Last November, Anthem agreed to pay $16 million to the OCR to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. That settlement set a record—nearly three times the previous high of $5.55 million paid by Advocate Health Care in 2016.
Besides that, a U.S. District Court judge gave final approval last August to a $115 million settlement to end further legal claims against Anthem for the data breach.
The money will be used, in part, to provide victims a minimum of two years of credit monitoring and identity theft protection. Those who show they already have a credit monitoring service will receive cash instead. And the fund will reimburse victims for out-of-pocket costs connected to the breach.
Those settlements and other related costs for security improvements are costing the company an estimated $260 million.
$260 million seems like a staggering sum of money. But in the world of big business, everything is relative. Overall, the breach hasn’t put much of a dent in Anthem’s bottom line.
For the 2017 fiscal year, the company reported revenue of more than $90 billion (up 6.1% from the previous year), earnings of $3.84 billion (up more than 55% from $2.47 billion the previous year), and a market capitalization in October 2018 of $69.1 billion.
So while $260 million is 6.7% of Anthem’s 2017 earnings, it is well below a half percent of the company’s annual revenue or value—barely a rounding error.
Also, the company reportedly had multiple levels of cyber insurance, with coverage estimated at $150 million to $200 million. So its net losses could be less than its employee travel budget.
Even with the hundreds of millions in costs and settlements, Anthem has not admitted to any liability.
The healthcare sector has seen a marked decline in the number of records exposed, but not in the number of breaches.
Throughout 2015, OCR reported 253 data breaches, with five besides Anthem totaling more than a million records. The total for the year was nearly 112 million.
Two years later, the Identity Theft Resource Center found that reported healthcare breaches had increased an estimated 40%. The center did offer a caveat: They couldn’t say whether the increase was due to more breaches or just more comprehensive reporting.
Most breaches were the result of hacking, but in second place was insider theft or employee error/negligence.
For 2018, OCR reported 351 breaches, with just over 13 million records compromised.
Organizations are required to report breaches of more than 500 records. And as of last week, the OCR had received reports of 29 healthcare data breaches in 2019. The total number of records compromised so far was 479,831. The single largest breach was 111,589 records, from Centerstone Insurance and Financial Services in Texas, dba BenefitMall.
If that rate continues for the rest of the year, the number of breaches will have remained relatively the same. But the number of compromised records will have declined again, to a little more than 5.7 million.
While it doesn’t mean the problem is solved, it’s an encouraging trend.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.