BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Regeneron CEO & CSO: The Real Healthcare Problem Is Bigger Than You Think
Pfizer CEO: How The Biopharmaceutical Industry Creates Value (And Jobs) For The U.S. Economy
Gradual Progress In Precision Non-Oncology, But Challenges Persist
Amid Executive Shuffle, Anthem Looks To Expand Health Services
'Forest Bathing' Really May Be Good For Health, Study Finds
Not Fun In The Sun: Summer Infections From Animals
Edit Story
ForbesInnovationHealthcare

Are The Data Breaches At Anthem And CHS Linked?

Dan Munro
Contributor
Opinions expressed by Forbes Contributors are their own.
I write at the intersection of healthcare technology and policy.
Following
This article is more than 9 years old.

Top cybersecurity analysts have begun linking the recent Anthem data breach to the one at Community Health Systems (CHS) less than 6 months ago.

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion. Brian KrebsAnthem Breach May Have Started in April, 2014

From that assessment, another analyst suggested the timeline does support the possibility that the recent Anthem breach was another case of the Heartbleed Bug ‒ a well documented (and exploited) computer vulnerability that dates back to 2011. The major fix to Heartbleed was released just last year ‒ in April  which is when the bug was discovered and made known globally. Since then, millions of websites have yet to make the necessary fix  and Anthem could be yet another big Heartbleed casualty.

While this is all purely speculation – there are a number of similarities between the two breaches and appear to have occurred just days between each other. Could this be the exact same group and technique that hit CHS many months ago? Time will tell. Anthem Hacked by Heartbleed? David Kennedy ‒ CEO and Founder, TrustedSec

There are other possibilities as well, and while we may never know all the details, at least one security analyst doesn't think the data breach at Anthem was necessarily all that sophisticated.

Because it was clearly pre-meditated and because the attackers spent time identifying the vulnerabilities, it definitely qualifies as well executed, but once the initial intrusion was successful, they didn't have too far to look. By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time." Ken Westin - Senior Security Analyst at Tripwire

The word itself ‒ sophisticated ‒ is quickly becoming standard issue for characterizing large data breaches of every kind ‒ including this latest round of mega healthcare breaches less than 6 months apart. Last week it was Anthem, Inc., the largest for‒profit managed health company in the Blue Cross Blue Shield Association.

However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. Joseph R. Swedish, President and CEO of Anthem, Inc. February 4, 2015

Less than 6 months ago ‒ the CHS breach of 4.5 million patient records also made headlines and also elected to blame "highly sophisticated malware" for the breach.

The Company and its forensic expert believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. Community Health Systems, Inc. ‒ SEC Form 8‒K filing ‒ August 18, 2014

The Sony data breach  last December (which included health information of both employees and dependents) didn't use the word "sophisticated," but the description of the attack by their security contractor was equally forceful.

This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared. Kevin Mandia letter to SPE CEO Michael Lynton CSO Online

Veteran security analysts saw the Sony breach (and Kevin Mandia's letter to Sony's CEO) with healthy skepticism.

Adam Caudill, an independent security researcher, has doubts about the description of the attack as "unprecedented" and "unparalleled" that came from Mandia and Sony. To protect their image, they need this to be an unpreventable, incredibly sophisticated attack. Caudill explained that making undetectable malware is not particularly hard. Even if they couldn't detect the malware, they should have detected the unusual activity. You don't steal such a large amount of data without raising some red flags ‒ the question is, was anyone watching? This wasn't a smash-and-grab-type attack that was pulled off quickly, to have penetrated the network so completely, the attackers had clearly been at it for some time. Adam CaudillMashable ‒ December, 2014

The reality is that these large, publicly traded corporations have a very real need to paint an image of "unprecedented," "undetectable" and "unparalleled." It's called negligence and the class action lawsuits against Anthem have already been filed in 4 states (Indiana, California, Alabama and Georgia). Similar class actions against CHS were also filed last August (here and here).

The image that most people have toward data breaches is a wily, skilled attacker (or group) breaching a porous hardware network ‒ maybe a network attached printer or video surveillance camera. That's often a good entry point (see my own example here) but that's not the weakest link for getting root or admin access to a data warehouse. For that ‒ a simple phishing exercise over a sustained period of time will often net the right credentials ‒ and then full access. That's not a function of sophistication ‒ it's just human behavior and social engineering that becomes the weakest link.

Once they are able to compromise a few high level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial. Ken Westin ‒ Senior Security Analyst at Tripwire ‒ How Anthem Could Be Breached

This isn't the first time Anthem has been breached.  Under it's former brand name  Wellpoint  the company agreed to pay HHS $1.7 million in 2013 for online data breaches that left the identity of 612,402 patients accessible over the internet between October of 2009 and March of 2010.

There's a lot at stake in these lawsuits because while the courts have historically frowned on class action suits for credit or debit card breach, the consumer liabilities are potentially much higher ‒ and lifelong with permanent numbers like Social Security and Date of Birth. With financial breach, the risk is typically short‒lived (until the account can be close) and the liability is often capped at $50.

This most recent data breach is a game changer. If data about existing accounts is compromised, such as account numbers, user names and/or passwords, one can close those accounts and the harm is stopped. With the exposure of this permanent information, particularly SSN and date of birth, fraudsters can open new accounts in your name into the indefinite future. Dr. Stephen Coggeshall - Chief Analytic and Science Officer, LifeLock , Inc. and ID Analytics

In the end ‒ just how sophisticated was the health data breach at Anthem? Was it the Heartbleed bug, a more mundane phishing attack  or was it the result of a sophisticated Advanced Persistent Threat group from China (or other nation state)? Whatever the final verdict  both in and out of court  this definitely isn't as simple as any general lack of data encryption.

Dan Munro
Dan Munro