Benner on Tech: Hackers Hit Anthem
People are Talking About…
Anthem, the nation’s second-largest health insurer, said last night that it was the victim of an external cyberattack. The FBI and security researchers are still working to figure out the scope of the attack, but they’ve been able to confirm that hackers got into a database that had up to 80 million past and present customer records, as well as records of employees.
No one is yet sure what was taken, but Anthem suspects that the criminals got names, addresses, email addresses, employment-related information and dates of birth. But there’s a lot we don’t know. No credit card data is believed to have been stolen. No medical records -- including test results, doctor information or insurance claims -- are believed to have been stolen. But this hasn’t been confirmed. No one is sure who attacked the system. No one is sure how much this will cost Anthem in the end.
I spent the night on the phone with security researchers who are figuring out the scope of the attack. They work with a health-care-focused, information sharing security organization called the National Health Information Sharing and Analysis Center, or NH-ISAC. I’ve written about this group before, which is trying to beef up the industry’s cyber defenses:
Most of the industries that are considered part of the country's critical infrastructure have an ISAC, such as aviation (A-ISAC), defense (DIB-ISAC) and financial services (FS-ISAC). These groups were created during the past decade or so as a way to let companies in a given sector share information about data breaches. Financial services, which have taken security seriously for longer than most of corporate America, started its ISAC in 1999. The health-care ISAC came much later, opening in 2010.
They say that it’s too early to know how big the breach is, but that it has the potential to be twice as large as the Target hack. It was first detected a week ago. Anthem has a website and hotline (877-263-7995) that customers can use as resources. Anthem customers received emails last night saying that they will get free identity repair and credit monitoring services. (Bloomberg LP is an Anthem customer.)
Healthcare is a particularly enticing target for hackers because it involves a huge web of companies that all have access to particularly sensitive data. This breach should be taken very seriously amid the current movement to digitize records, especially health records - any electronic file that’s attached to the Internet can be breached.
One interesting wildcard: researchers are trying to figure out whether the attacker came in through a service provider. The big health insurers and other healthcare service providers are all very worried about suppliers that have access to their networks. That could include everyone from a blood testing lab to a hospital to a company that washes uniforms for a hospital to a records and archival company.
One security vendor I spoke with said that one of his clients, a big health care company, has 15,000 suppliers that have access to its network. It can only afford to audit 12 of those suppliers a year and it costs about $150,000 to conduct each audit. That's nearly $2 million just to do just a dozen checks a year.
Right now the big picture is fuzzy, so any "lessons learned" will depend greatly on whether this is malware or an attack strategy that we've seen before. Researcher Pierluigi Paganini notes that when Anthem suffered a data breach in 2010 that involved 612,402 customers. It ended up paying the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA privacy rule violations.
As this story unfolds, I suspect that we’ll see healthcare companies spend a lot of money to upgrade security systems over the next three to six months and (given that this involves patient health records) we could see some proposed legislation too.
** The other big news: The FCC moves to settle the net neutrality question and regulate broadband like a utility under Title II. Chairman Tom Wheeler said:
I am submitting to my colleagues the strongest open internet protections ever proposed by the FCC. These enforceable, bright-line rules will ban paid prioritization, and the blocking and throttling of lawful content and services. I propose to fully apply—for the first time ever—those bright-line rules to mobile broadband.
* The Verge has the ISP response.
Discipline.eu, an Italian startup that sells furniture, was bought by Hem, the home furnishings startup founded by Fab.com’s Jason Goldberg, reports TechCrunch.
Launchpad Toys, which makes the storytelling app Toontastic, was acquired by Google, CNET reports. The deal terms were not disclosed.
Sunrise, the calendar app maker, has been purchased by Microsoft for at least $100 million, TechCrunch reports.
The apps My Fitness Pal and Endomondo were acquired by Under Armour for $475 million and $85 million, respectively, reports the Next Web.
People and Personnel Moves
Ross Ulbricht, the founder of the Silk Road website, has been convicted on charges of drug trafficking on the Internet, narcotics-trafficking conspiracy, running a continuing criminal enterprise, computer-hacking and money-laundering, Bloomberg reports. He faces life in prison and will be sentenced in May.
Don Kingsborough has left PayPal after spearheading the move to payments in the physical world. Re/code spoke with Kingsborough, who admitted that he was frustrated with PayPal’s efforts to get into brick-and-mortar stores.
** The company is in deal talks with programmers so that it can offer its own “over the top” pay-TV service, according to Re/code.
** U.S. customers bought more iPhones than Android devices for the first time in three years, reports TechCrunch.
The company’s mobile communications unit will cut another 1,100 employees, in addition to the already announced 1,000 job cuts, Fierce Wireless reports.
** The company struck a deal with Google so that tweets will be visible in search results in real time, Bloomberg reports. Google gets access to Twitter’s so-called firehose, the valuable stream of data generated by Twitter’s 284 million users.
** CEO Dick Costolo admits in a series of emails that the company has a problem with online abuse saying, "We suck at dealing with abuse and trolls on the platform and we've sucked at it for years," the Verge reports.
Spyware that is being used to target Western governments and journalists has now appeared on iOS devices, reports Ars Technica.
The Sony Pictures hack has so far cost Sony an estimated $15 million, the Los Angeles Times reports.
Buzzfeed and Snapchat were supposed to work together on the messaging service’s Discover feature, which shows articles and videos, but the deal fell apart. The Wall Street Journal has the details.
News and Notes
China’s 649 million Internet users must register with Internet companies under their real names thanks to new rules passed by the nation’s cyber regulator, reports the South China Morning Post.
Crisis Text Line, the first and only crisis-intervention hotline to operate exclusively by text message, is featured in the New Yorker and the story is fascinating.
Your iPhone could kill your creativity by not letting you ever be bored, argues Monica Guzman in Geek Wire.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the editor on this story:
Timothy L. O'Brien at firstname.lastname@example.org