Investigators of a massive data breach at Anthem are examining evidence that suggest the incident—believed to be the largest health care cyberattack in history—may be linked to Chinese state-sponsored hackers, according to sources familiar with the investigation.
Background on the hack
Anthem on Wednesday announced that hackers had accessed a database containing the personal information of about 80 million of its customers, former customers and employees.
Anthem spokesperson Cindy Wakefield said that the company is "still investigating to determine how many were impacted" but that "[a]t this point we believe it was tens of millions." The company said it did not yet know the source of the cyberattack.
More details on what may be history's largest health care cyberattack
According to Bloomberg Business, the hack is similar to a pattern of thefts of medical data conducted by foreign hackers seeking a way into the personal information of a select group of individuals, including defense contractors, government employees, and others.
Moreover, two individuals familiar with the investigation say the technical details of the breach involve "fingerprints" of a nation-state and that China is an early suspect. However, the Chinese government has previously stated that it does not conduct espionage via data hacking.
The FBI is leading the probe in the hack, according to Anthem.
Experts: It doesn't matter how big you are. All companies are at risk.
CynergisTek founder and health care security expert Mac McMillan said the attack "basically proves that it doesn't matter how big you are or how much money you spend, and how diligent you are at protecting your data, you can still have an incident," adding, "Everybody could have a breach."
Experts say the attack shows why organizations need stringent cybersecurity measures and skilled IT staff to protect consumers' private data. In addition, organizations should have a multifaceted strategy for protecting against hackers, including:
- Access control measures;
- Antivirus tools;
- Employee training;
- Internal and external firewalls; and
- Phishing filters.
NEJM: When hackers attack a hospital
Furthermore, companies should have cybersecurity insurance because attacks could still occur, as well as ways to quickly identify and respond to attacks. Organizations' contracts with other companies that have access to consumer data should also detail how the contractor will protect that data and respond if an attack occurs.
According to Modern Healthcare, the attack could prompt many health care organizations to re-evaluate their IT security systems, which the groups typically have not spent much money developing, relative to other regulated industries. Boston University health policy professor Alan Sager said, "The ability of health care companies to compile data has grown far faster than their ability to protect it," adding, "For too many organizations it's more about maximizing revenue, while protecting patient confidentiality ranks at the bottom."
Experts ID one place where health companies can improve security
For example, experts pointed to Anthem's weak security system as the reason it was vulnerable to hacking. They noted that Anthem did not encrypt the consumer data it stored like it did for medical information that was shared outside of its database. In addition, Anthem—like many other health care organizations—did not store personal data in separate databases that could be locked if an attack occurs, experts said.
In response, HHS's Office for Civil Rights is urging health care companies to encrypt as much data as they can. However, HIPAA does not require encryption when the data are stored, only when the data are shared (Riley/Robertson, Bloomberg Business, 2/5; Harwell/Nakashima, Washington Post, 2/5; Rubenfire/Conn, Modern Healthcare, 2/5 [subscription required]; Terhune, Los Angeles Times, 2/5; Yadron/Beck, Wall Street Journal, 2/5).
Next in the Daily Briefing
How the GOP wants to replace the Affordable Care Act