According to Joseph Swedish, Anthem’s CEO, the cyber thieves accessed home addresses, e-mail addresses, client names, birth dates, as well as social security numbers and health care information.
“Cyber criminals are becoming more sophisticated every day,” says Craig Spiezle, the executive director of Online Trust Alliance (OTA).“They gather data like marketing companies do. They collect and append data from multiple sources, and the more information they have about an individual, the more valuable it becomes.”
Hackers often walk right into the system. They use “social engineering” to gain access to the company. They find out the systems administrator’s e-mail and then fake an internal e-mail asking the administrator to open certain files.
“They may ask that person to open up a pdf of the current financial plan saying they would like to get some feedback,” notes Spiezle. “That is social engineering,” he says. “More and more often we are seeing these malicious entries coming from a typical phishing e-mail.”
Then, bang. They’re in.
“The information they gather is often traded and sold in the underground economy,” explains Spiezle. “They may have credit card numbers stolen from Target or Home Depot that they can trade and match up with health care information, employment histories. It becomes very valuable.”
Hackers can use the information to file false tax returns, obtain new credit cards and steal identities - in addition to an almost endless list of nefarious activities that could damage the individuals whose information has been snatched.
At least 40 class-actions lawsuits have been launched against Anthem, which happens to be the second largest health care provider in the US.
In Denver, Colorado, attorney Patrick Peluso from Woodrow & Peluso, LLC has launched a putative class action on behalf of woman from the state claiming breach of contract. “Our case alleges that Anthem’s privacy policies and its website explicitly say they will protect people’s personal information and they didn’t,” says Peluso. “The early reports are that its internal data was not encrypted and that it did not have a two-step authorization system in place.
“We argue that people overpaid for their premiums as a result of Anthem not protecting data the way it said it would,” says Peluso. “People would not have paid the premium price if they had known their social insurance numbers, and other types of data, were at risk.”
Litigators at Hagens Berman have also launched a class-action suit on behalf of an Anthem client.
In a press release, Hagens Berman partner and former cyber security prosecutor, Thomas Loeser, pointed to a failure to encrypt internal data as the problem at Anthem.
“We consider this the smoking gun of this investigation. Anthem knew the importance of encryption, as it encrypted data that was sent outside of its databases. But it did not take this basic step for data that it kept within its systems, leaving vulnerable a gold mine for cyber criminals,” he was quoted as saying.
Loeser believes that Anthem’s trove of hacked data, particularly because it contains multiple sources of data for each individual, could be worth up to $20 billion in the shady world of cyber theft.
READ MORE DATA BREACH LEGAL NEWS
“Think of these companies like big ships,” says Spiezle. “Someone opens a window, the ship begins to take on water and sinks.
“The first question we always need to ask is did the company have good defenses in place?” he says. “Then we ask what did they do to detect the problem and what did they do to contain it?”
Spiezle, who recently attended the White House Cyber Security Summit, where business and government agreed to continue working together to put the brakes on cyber theft, says cyber security requires a “holistic approach.”
“Security has to be everyone’s job,” says Spiezle.