Feb. 05--The computer security breach at health insurance giant Anthem Inc. may have lasted for a few weeks, but the consequences could have been much worse if not for a lucky break, cybersecurity experts said.
Anthem was fortunate that one of its employees noticed the suspicious use of a login on Jan. 27.
"It's rare and it's lucky," said Dan Berger, chief executive of Carpinteria-based Redspin, which specializes in healthcare data security. "Who knows how long it would have gone undetected."
Many cyberattacks last three to six months before they are spotted, experts said. Also unlike this case, outside researchers usually find pilfered data on the Web before a company realizes that data has been stolen.
The Anthem breach led to personal information, including Social Security numbers, of as many as 80 million customers and employees being moved out of the company's network.
How the cyberattacker was able to get into Anthem's system is unclear, but Berger said he'd bet that an employee was duped by a fraudulent email -- known as a spearphishing attack -- into giving up a username and password for Anthem's systems.
"It just underscores the need for security awareness training for all employees," said Berger, whose information was among the compromised batch.
Anthem said no medical data about its customers was taken. That's surprising because once inside, a cyberattacker likely had close to free rein, said Ben Goodman, president of cybersecurity consulting firm 4A Security and Compliance.
A cyberattacker who apparently had all the needed logins for Anthem's databases could have accessed the detailed medical dossier, had he desired, whether the file encrypted or not.
Electronic health records are valuable on the black market because fraudsters can use them to buy medications or even undergo procedures using someone else's name. Though less lucrative, the type of general customer data that was compromised in this case can be sold off or taken advantage of much faster.
Hackers in last year's breach of 4.5 million records at hospital operator Community Health Systems also didn't touch the electronic health records, Goodman said. Community Health said it was targeted by someone in China.
The scope of the Anthem attack still is more than enough to raise the bar for what the healthcare industry should consider reasonable care of data, experts said.
"What was considered reasonable is getting more rigorous with each attack in the news everyday," Goodman said.
Chat with me on Twitter @peard33
