Review of A Health Care Data Breach – Anthem 2015

Abstract 

The Anthem Data Breach was the largest of its kind at the time and was one of the first times that a cybersecurity incident was actively covered in mainstream media. This was cited as a watershed event by many cybersecurity experts. The legal and financial ramifications of the breach resounded across the healthcare industry and started a national conversation about data security and accountability of business organizations for customer data. This conversation has acquired many more nuances and continued over the years.  This paper explores why healthcare organizations are sought after, what makes them vulnerable and uses the example of one of the largest healthcare related cyberattacks in recent years – Anthem Data Breach of 2015, to understand the vulnerabilities, idiosyncrasies and methods to protect healthcare information technology infrastructure from cyberattacks.

Keywords:  Healthcare, Cybersecurity, Data Breach, Anthem

Review of A Health Care Data Breach – Anthem 2015 

Healthcare organizations are targeted by cybercriminals with alarming frequency. The Ponemon Institute’s study on healthcare data states that about ninety percent of healthcare organizations were victims of data breaches from 2011, with more than forty five percent of them experiencing no less than five breaches in the same period (Ponemon, 2016). An estimated $6.2 Billion in actual costs such as costs of investigation, damage control, customer and government notification, fines, legal fees and settlements in addition to intangible costs such as loss of future business customers is incurred by healthcare organizations annually because of cybersecurity incidents (Doherty, 2016). There has been a steep increase in the number and scope of attacks especially advanced persistent threats (APT) allegedly by foreign governments while the number of breaches due to the actual loss of data storage devices such as hard disks and hardware such as laptops has declined. This trend can be observed in a timeline depicted pictorially in Figure 1.

Value of Healthcare Data

The data obtained from breaching a single healthcare organization is exponentially more valuable to hackers than from a comparable organization in any other sector or industry. The following reasons have been cited for the attractiveness of healthcare institutions to cybercriminals:

• The data stored by healthcare organizations is both vast and textured with multiple components of an individual’s personally identifiable information (PII) in a single record.
• Laws and Regulations such as Health Insurance Portability and Accountability Act of 1996 (HIPAA) required healthcare organizations to convert all physical medical records to digital records by an arbitrarily decided deadline. This caused a rush among the organizations to digitize records without paying proper attention to the security aspects of this move. This caused inherent vulnerabilities in large records systems that hackers were able to exploit.
• The price for Protected Health Information averages around fifty dollars per person while credit card information averages about a dollar and fifty cents and social security numbers average about three dollars (Stark, 2015)
• An individual’s healthcare data remains relatively stable and unchanged over a period of time while data such as credit card numbers, ATM PINs are much more mutable and are changed immediately when used by a hacker.

Anthem Data Breach of 2015

Anthem Inc., is an American health insurance company that was founded over seventy years ago and has grown into the largest for-profit managed health care company in the Blue Cross and Blue Shield Association through a series of mergers and acquisitions. It ranks twenty-ninth in Fortune 500 list and had revenues of over $90 billion last year (Fortune Magazine, 2018). On February 4, 2015, Anthem, Inc. put out a press release stating that cybercriminals had breached its security infrastructure and stolen the records of over 37.5 million members including personally identifiable information (PII) from its data stores (Riley, 2015). On February 24, 2015 Anthem Inc. issued a revised estimate of the number of records stolen and stated that over 78.8 million people were affected by the breach (Matthews, 2015). The data breached a number of Anthem’s brands including but not limited to – Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare (Krebs, 2015)

Timeline of the Anthem Data Breach

On February 18, 2018, according to an extensive analysis conducted by Mandiant, the attackers may have gained access to Anthem’s database (McGee, 2017)

On December 10, 2014, a query retrieving eighty million records was initiated (Krebs, 2015) and there was a lull in the security infrastructure checks and other monitoring activities over the holiday season. 

On January 27, 2015, the breach in security was discovered by an employee and an alarm was raised internally within the company

On January 29, 2015, Anthem Inc. disclosed the breach to federal authorities through a precisely worded letter by the organization’s legal department

On February 4, 2015, the company’s public relations department issued a written press release to all the major media outlets (Matthews, 2015)

In February 2015, Anthem Inc. hired Mandiant, a cybersecurity firm, to analyze its security infrastructure to find how the breach happened, what the vulnerabilities were within its security infrastructure, how any future security risks could be avoided, mitigated or transferred.

On August 20, 2018, a Federal Judge approved Anthem’s settlement offer of $115 million with the 78.8 million members whose PII was stolen

Data Compromised in the Breach

The particulars of the data that was stolen by the hackers, as released by Anthem Inc. is as follows –

1. Names
2. Dates of Birth
3. Social Security Numbers
4. Health Card ID numbers
5. Home addresses
6. Email addresses
7. Work related details including income data

However, credit card information and medical history including claims data was not reported as being stolen in the breach.

Mechanics of the Attack

Security experts who conducted cyber-forensics examination of the Anthem attack stated that the server certificates and techniques used in the Anthem breach resemble those of the state-sanctioned Chinese cybercriminal nexus called alternatively as  Deep Panda, Axiom, Group 72, and the Shell_Crew among other names. CrowdStrike, a security firm like Mandiant, christened this group, Deep Panda (Nakashima, 2015). 

We11point.com was registered on April 21, 2014 to an organization in China and all traces of its provenance were removed minutes later.  From open source records, Krebs (2015) concluded that Deep Panda was involved in the registration and use of the domain, we11point.com. The third and fourth characters in that domain name are the number one, but they tried to make it look like “Wellpoint,” the former name of Anthem before Wellpoint merged with Amerigroup to form Anthem Inc.

Another suspicious sub-domain by the name of extcitrix.we11point[dot]com was discovered upon further investigation. The “citrix” portion of that domain was created to resemble Citrix a tool used to enable access to a virtual private network (VPN) used by Anthem. This appeared to be a backdoor program impersonating the Citrix VPN software. This malware was digitally signed with a certificate issued to an organization called DTOPTOOLZ Co   which was linked to many crimes such as Premera Blue Cross Breach of 2015, by the Deep Panda Chinese espionage group.

A malware that Symantec listed as “Mivast” describing a backdoor Trojan that called out to one of a half-dozen domains, including extcitrix.we11point[dot]com domain was described in February 2015 and was the likely cause of the breach at Anthem (Krebs, 2015). Unconfirmed sources attribute the method of entry into the Anthem Inc. infrastructure as a phishing attack via an e-mail from the We11point.com domain (Nakashima, 2015).

Information Security experts opined that this advanced Persistent Threat (APT)  was carried out by the Chinese cyberespionage group, Deep Panda because

• The Anthem Breach occurred within  a few months of the Premera Blue Cross breach and the perpetrators stole the same kind of data within the healthcare sector. Both organizations worked with the same licensor, Blue Cross Blue Shield. A third data breach, involving another Blue Cross Blue Shield licensee, CareFirst happened just a month after the Premera health care breach was reported (Stark, 2015).
• Malware used in all the aforementioned breaches were all digitally signed by “DTOPTOOLZ Co.”
• A common technique of misleading recipients through character replacement –we11point.com instead of wellpoint.com in the Anthem breach and Prennara instead of Premera, in the Premera data breach were observed (Threat Connect 2015).

Preventive Measures

 Upon carefully examining the Anthem data breach from multiple perspectives and with data from a myriad of sources, it became clear that this attack could have been prevented outright with a lot less effort money and resources that went into investigating the breach and compensating the members who lost their data.

Employee Security Education Training and Awareness: This attack would not have succeeded if all Anthem employees were properly trained to be vigilant about phishing attacks. While we do not know the state of the organizational awareness at the time of the breach, at Anthem, we can safely state that it was not a hundred percent effective. The success of a Security training and awareness program is heavily dependent on buy-in at all levels and active promotion of cyber-vigilance among all employees. Security Training and Awareness is a sustained and concerted effort fostering engagement and education of employees.

Multifactor Authentication and Password Controls: One can surmise that Multifactor Authentication (MFA) controls were not implemented as a part of the organizational cyber security protocol. This is an efficient mechanism to enhance an organization’s IT security infrastructure. Unauthorized access to the Anthem’s database could have been prevented with MFA in this breach.

Security Patches, Service Packs and Hotfixes: Periodic checks for Security Patches, Service Updates and Hotfixes is an important step in preventing cyberattacks. These actions plug any known zero-day exploits and vulnerabilities in the system.

Contingency Planning & Disaster Planning: After the cyberattack, Anthem was unprepared to handle the fallout. The leadership was scrambling to contain the public relations nightmare did not know what to do with the actual problem. There was no plan in place for a data breach, let alone one of this size and scope. If there were properly thought out disaster management protocols, the effects of this attack could have been contained. All important information should have been secured in an air-gapped system following the breach and logging analysis should have been performed as a part of digital forensic analysis. Malware reverse engineering would have revealed the nature of the attack which was performed by Mandiant in this instance (Stark, 2015).

Security Audits with Vulnerability Scans: Regular security audits with vulnerability scans should be mandated periodically to avoid falling prey to cyberattacks. Regular security audits expose vulnerabilities within the security infrastructure much earlier and provide an opportunity for preventive action.

Conclusion

 The Anthem Data breach serves as an important lesson about cybersecurity for the future. This paper educated me about how cyberattacks have evolved progressively increasing in number and severity. The ramifications, legal and otherwise of ignorance and apathy towards organizational cyber security vulnerabilities were eye-opening for me. The most important lesson that I learned, however, was how preventable this breach was if only a few fundamental security measures were implemented early on.

 References

• Fortune Magazine (2018) Fortune 500 List. Fortune Magazine. Retrieved October 7, 2018, from http://fortune.com/fortune500/list/
• Krebs, B. (2015). Data Breach at Health Insurer Anthem Could Impact Millions. Krebs on Security. Retrieved October 7, 2018, from https://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions/
• Krebs, B. (2015). Anthem Breach May Have Started in April 2014. Krebs on Security. Retrieved October 7, 2018, https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
• Mathews, A. (2015). “Anthem: Hacked Database Included 78.8 Million People”. The Wall Street Journal. Retrieved October 7, 2018, from https://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364
• McGee, M. K., (2017). A New In-Depth Analysis of Anthem Breach. Bank Info Security. Retrieved October 7, 2018, from https://www.bankinfosecurity.com/new-in-depth-analysis-anthem-breach-a-9627
• Nakashima, E. (2015). Security firm finds link between China and Anthem hack. The Washington Post. Retrieved October 7, 2018, https://www.washingtonpost.com/news/the-switch/wp/2015/02/27/security-firm-finds-link-between-china-and-anthem-hack/?noredirect=on&utm_term=.7cbfa18cabf9
• Pollack, D., Hoar, S., & Wright, D. (2016). Hacked and Attacked: Lessons Learned from Recent Healthcare Breaches. Retrieved October 7, 2018, from https://www.slideshare.net/theHCCA/hacked-and-attacked-lessons-learned-from-recent-healthcare-breaches-2016-compliance-institute-p18?next_slideshow=1
• Ponemon, L. (2016). News & Updates. Retrieved October 7, 2018, from https://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data
• Riley, C. (2015). “Insurance giant Anthem hit by massive data breach”. cnn.com. Retrieved October 7, 2018, from https://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/
• Stark, J. R. (2015). CareFirst Data Breach: A Primer on its Incident Response. Retrieved October 7, 2018, from http://www.cybersecuritydocket.com/2015/05/22/carefirst-data-breach-a-primer-on-its-incident-response/
• Threat Connect. (2015). Premera Latest Healthcare Insurance Agency to be Breached. Retrieved October 7, 2018, from https://www.threatconnect.com/blog/premera-latest-healthcare-insurance-agency-to-be-breached/?utm_campaign=Anthem-Hack-Blog-Post&utm_source=from-anthem-post

Figures

Figure 1.  The escalating threat landscape of HealthCare

Source: Pollack, D., Hoar, S., & Wright, D. (2016). Hacked and Attacked: Lessons Learned from Recent Healthcare Breaches. Retrieved October 7, 2018, from https://www.slideshare.net/theHCCA/hacked-and-attacked-lessons-learned-from-recent-healthcare-breaches-2016-compliance-institute-p18?next_slideshow=1