The 2015 Anthem Medical Data Breach

In August of this year, the United States approved the final judgement against the healthcare company Anthem resulting from the 2015 data breach that exposed the personal information of over 79 million people.  This personal information included names, Social Security numbers, dates of birth, email and street addresses and other data that falls under the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The final penalties included a $115 million settlement paid by Anthem, the reimbursement of demonstrable out-of-pocket costs paid by the victims in dealing with the breach, as well as Anthem being ordered to fund a minimum of two years credit monitoring for impacted consumers.

Quite a financial blow to Anthem, and it ignores the cost associated with the two years of lawsuits and litigation that led to eventual settlement.

The breach, reportedly conducted via a phishing attack spearheaded by a foreign nation state, clearly exposed the lack of effective authentication and access controls within the Anthem environment.  Allegedly, a single user employed by an Anthem subsidiary opened a malicious email which allowed for the download of multiple files to the user’s computer and the eventual compromise of that user’s access to Anthem systems.

We’ve discussed social engineering attacks and how effective they can be at initiating enterprise-wide breaches.  But a key component of the Anthem breach was just how ineffective their protections around allowing access to sensitive data were.

Reportedly, this lack of protection included:

• Production level data residing in multiple non-production (testing, development) environments.
• A lack of step up authentication capabilities restricting access to sensitive data.
• A lack of enforcement of the principle of least privilege, which mandates that user accounts only have roles and permissions needed to do their day to day job.
• A lack of an effective single sign on infrastructure, which typically leads to users, in the interest of convenience, utilizing the same usernames and passwords across multiple systems.

Appsian can help shore up protections in many of these areas.  Don’t become the next Anthem.  Let us show you what our security platform can do for your organization.