Officials: Foreign government may have breached health data
SACRAMENTO — A foreign government may have been behind a cyber breach of health insurance company Anthem Inc. that compromised the records of more than 78 million consumers, investigators said Friday. They declined to identify the hackers or the foreign government.
Social Security numbers, birthdates and employment details of customers — all key ingredients of identity theft — were accessed in the breach, officials said.
Anthem, the nation’s second-largest health insurer, has agreed to make $260 million in improvements to its information security systems as part of a settlement with insurance regulators in most U.S. states and territories.
The company will also provide credit protection to consumers whose information was compromised.
The insurer is licensed in all 50 states and conducts business under brands including Blue Cross Blue Shield, Unicare, CareMore and Amerigroup.
Investigators from the cybersecurity firm CrowdStrike identified the attackers with “high confidence” and concluded with “medium confidence” that they were working for a foreign government, according to a report released by California Insurance Commissioner Dave Jones.
“Insurers have an obligation to make sure consumers’ health and financial information is protected,” Jones said in a statement.
A finding of high confidence means the information is verified by multiple sources or a single highly reliable source. Medium confidence means the information is open to multiple interpretations or not reliable enough to warrant higher confidence.
Federal law enforcement officials requested that Jones not identify the foreign government due to an ongoing investigation, said Madison Voss, a spokeswoman for the insurance department.
Previous attacks by that same government have not resulted in personal information being sent to non-governmental entities, CrowdStrike said in its report.
Investigators say intruders cracked Anthem’s database in February 2014 with a phishing email and evaded multiple layers of security. The hackers eventually gained remote access to at least 90 systems within the Anthem enterprise.
California insurance commissioners concluded that shortfalls in Anthem’s security protocols were typical for a company of its size and declined to issue fines or other punishment. They said the company responded promptly, ejecting the cyber intruders within three days and notifying affected customers.