The Inquisitr reported Friday that Anthem is facing a class-action lawsuit following its recent security breach. Now the health insurance company is warning its U.S. customers to be on the lookout for email scammers.
According to Reuters, Anthem is frantically advising former and current clients, whose personal information may have been breached. The hacking incident targeted a data system containing information about more than 80 million customers, all of whom are advised to be on the lookout for suspicious activity.
First and foremost, Anthem told a reporter, customers will be advised of the attack via paper mail delivered by U.S. Postal Service. The company wants its members to be aware that it will not be calling them regarding the breach, nor will it be asking for information such as social security numbers or credit card information over the phone.
The Anthem hacking is the largest ever perpetrated on a healthcare company, coming at a time when cyber attackers are going after insurers, hospitals, and other healthcare companies with increasing frequency. In many cases, security experts concur that hackers look for and attack easy targets.
— Voltage Security (@voltagesecurity) February 6, 2015
Anthem confirmed reports that the data involved in the hack had not been encrypted to prevent a security breach. The Christian Science Monitor reports that because healthcare companies store vast amounts of personal data, they are prime targets for hackers. According to Anthem spokesperson Cindy Wakefield, data is not encrypted while it is sitting in a warehouse, although encryption is the rule when data is moved in and out of storage.
“I think that is standard practice,” she told a reporter.
The reason? Anthem needs to have the ability to easily access patient data in order to create reports for customers and regulators during the course of business.
Wakefield said Anthem is not currently focusing on lawsuits resulting from the security breach. Instead, she says the focus is on customers.
“Our first priority is to determine who was impacted and to notify our members.”
She added that Anthem is working with cybersecurity experts to prevent future attacks.
Washington lawyer Deven McGraw, an expert in the field of healthcare privacy, told a reporter that U.S. law does not specifically require health data to be encrypted, even though it is sensitive.
At the same time, he stressed the importance of security, noting, “Encryption is one physical safeguard that can be very helpful to lowering cyber security risk.”
Kevin Epstein, vice president of advanced security and governance at email security vendor Proofpoint, told the Christian Science Monitor that breaches such as the one at Anthem are a “scathing indictment of how at a board level, security has not been a crucial issue to date.”
Attacks like the one targeting Anthem and other healthcare companies are particularly concerning as they typically involve breaches of information that can be used to forge identities and to commit fraud. In Anthem’s case, it appears no protected health information was accessed, but the information that was stolen, including addresses, dates of birth, and Social Security numbers, give hackers what they need to commit identity theft.
What do you think? Should healthcare companies like Anthem be required to encrypt stored data?