The call for more systemic changes to prevent mega-hacks is getting louder after hackers hit Anthem, the nation's second-largest health insurer. The company says cyberthieves gained access to the addresses, employment information and Social Security numbers of 80 million customers and employees.
Eighty million individuals is a lot — it's roughly the populations of California, Texas and Illinois combined.
"It's large in health care. It's probably the largest health care breach that we've seen, and maybe that the government has seen," says Katherine Keefe, who leads global cybersecurity response for Beazley, which insures businesses against data breaches.
Keefe is not working with Anthem on this but does help protect other insurers. She says health data — should hackers get to the information — are especially lucrative on the black market, where hackers sell the data they steal.
"A data set containing health information alone, diagnosis information or treating physician name and information can get $40 to $50 per record on the street, on the black market versus one credit card number [which] can garner between $4 and $5 on the street. So you see kind of the relative weights," Keefe says.
In this case, Anthem spokesman Tony Felts says hackers didn't get to highly sensitive medical information, like test results or past claims.
"At this time there is no evidence that banking, credit card or medical information was targeted or compromised in this attack," Felts says.
But the insurer is working hard to clean up what's been breached. It's following the playbook of what companies have to do now, in the age of the mega-hack. Whether it's retailers like Target and Home Depot, or big banks, like JPMorgan Chase, the hacks are continuing.
"We're going to need federal legislation to address security issues to keep these huge hacks from happening," says Waldo Jaquith, who leads U.S. Open Data, which works with the public sector and private companies to better understand, store and share data.
The Obama administration has already proposed a data protection act — which would require companies like Anthem to publicly disclose they've been hacked within 30 days. Anthem disclosed its breach within a week. So experts like Jaquith say it's not enough to require reporting after a hack. He suggests putting minimum security requirements into law — like requiring much stricter passwords and customer authentication.
"Our lives are mediated by digital technology now," Jaquith says. "So we can no longer pretend that what happens on the Internet isn't real life. My health data, the history of my health data is very much my life. And we need requirements in place to ensure that a minimum level of security is in place to protect crucial data about everybody's lives."
Until there are more systemic changes, consumers are left feeling pretty helpless.
"We are helpless, yes. There are individual things we can do like have better passwords. But in the end it's up to companies like Anthem to get their act together," Jaquith says.
Anthem has started a dedicated website and phone number (877-263-7995) for consumers who were affected or think they may have been affected by this breach. The company is working with federal investigators and a private firm to find out how this hack happened.
Transcript
ROBERT SIEGEL, HOST:
Hackers have hit the nation's second-largest health insurer - Anthem. The company says the attack didn't involve medical records, but the hackers did gain access to addresses, employment information and Social Security numbers of 80 million customers and employees. So far there is no definitive word on who's responsible. NPR's Elise Hu has more.
ELISE HU, BYLINE: Eighty million individuals is a lot. It's roughly the populations of California, Texas and Illinois combined.
KATHERINE KEEFE: It's large in health care. It's probably the largest health care breach that we've seen.
HU: Katherine Keefe leads cybersecurity response for Beazley, which insures businesses against data breaches. She's not working with Anthem on this, but does help protect other insurers. She says health data, should hackers get to it, is especially lucrative on the black market where hackers sell the data they steal.
KEEFE: A data set containing health information alone, you know, diagnosis information or treating physician name and information can get $40 to $50 per record on the street, on the black market, versus one credit card number can garner between $4 and $5 on the street.
HU: In this case, Anthem spokesman Tony Felts says hackers didn't get to highly sensitive medical information, like test results or past claims.
TONY FELTS: At this time, there is no evidence that banking, credit card or medical information was targeted or compromised in this attack.
HU: But the insurer is working hard now to clean up what's been breached. It's following the playbook of what companies have to do now in the age of the mega-hack. Whether it's retailers like Target and Home Depot, or big banks, like JPMorgan Chase, the hacks keep happening.
WALDO JAQUITH: We're going to need federal legislation to address security issues to keep these huge hacks from happening.
HU: Waldo Jaquith heads the organization U.S. Open Data, which works with the public sector and private companies on data issues. The Obama administration has already proposed a data protection act, which requires companies like Anthem to publicly share they've been hacked within 30 days. Anthem disclosed its breach within a week, but Jaquith says it's not enough to require reporting after a hack. He suggests putting into law minimum security standards - things like stricter password and authentication requirements.
JAQUITH: Our lives are mediated by digital technology now, and so we can no longer pretend that what happens on the Internet isn't real life. My health data, the history of my health data, is very much my life. And we need requirements in place to ensure that a minimum level of security's in place to protect crucial data about everybody's lives.
HU: Until there are more systemic changes, he says consumers are left feeling pretty helpless.
JAQUITH: We are helpless (laughter) yes. There are individual things we can do, like have better passwords, but in the end, it's up to companies like Anthem to get their act together.
HU: Anthem says it's working with federal investigators and a private security firm to figure out how this hack happened. Elise Hu, NPR News, Washington. Transcript provided by NPR, Copyright NPR.
300x250 Ad
300x250 Ad