Anthem cyberattack renews calls for info sharing

House Homeland Security Chairman Michael McCaul said Congress needs "to take aggressive action."

Wikimedia image: Michael Thomas McCaul, Sr. (U.S. Representative for Texas's 10th congressional district)

House Homeland Security Chairman Michael McCaul said Congress needs to move cybersecurity information-sharing legislation "as soon as possible."

Anthem Inc., one of the country's biggest health insurers, has been hit by a major cyberattack that could affect millions of its customers and employees. As news of the large-scale hack broke late Feb. 4, it was already having a ripple effect on Capitol Hill, with a top lawmaker calling on Congress to pass information-sharing legislation in response.

Hackers stole personal information from current and former Anthem members, including Social Security numbers, street and email addresses, and income data, the insurer said a statement that described the hack as "very sophisticated." The firm said it had seen no evidence that credit card or medical information was compromised.

The hackers penetrated an Anthem database housing the personal information of 80 million Anthem customers and employees, the Wall Street Journal reported.

In a statement, the FBI said it was investigating the Anthem hack and praised the company’s swift response. 

"Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," said the bureau.

"Rapid notification allows the FBI to quickly deploy our cyber experts to preserve evidence and work with a company's incident responders to help them remediate their networks and rid their systems of harmful malware," the statement said.

Rumblings on the Hill

A key lawmaker quickly took notice of the cyberattack on Anthem.

"This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information," said Texas Republican Michael McCaul, chairman of the House Homeland Security Committee. "I will lead this effort with other committees in the House and Senate to ensure we move forward with greatly needed cybersecurity legislation as soon as possible."

President Barack Obama is reportedly set to announce executive action to encourage the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.

Breach notification proposal 

By any standard, Anthem acted quickly in reporting the breach to customers and the public just days after it occurred. State laws vary widely about when notification should take place, and how much time firms should have before disclosing the theft of personally identifiable information.

The Obama administration recently came out in support of a national data breach standard that includes a requirement to notify customers within 30-days of a breach. The Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held a hearing Feb. 5 to discuss what a national standard might look like and whether federal rules should preempt state regulations in those states which maintain stringent breach notification standards.

"Just this morning we woke up to news of what experts are calling the largest health care breach to date," said Sen. Jerry Moran (R-Kan.), the subcommittee chairman.  He sounded a hopeful note for action on a national standard. "The president's support along with bipartisan and bicameral congressional interest has renewed optimism among stakeholders that congress can develop a balanced and thoughtful approach with legislation in the near term," he said.

No apparent impact on HealthCare.gov

The cyberattack on Anthem put hackers inside a network with connections to government systems including HealthCare.gov and Medicare.gov, where enrollment and payments are processed. A CMS spokesperson told FCW that "while there is no indication at this time that the attack against Anthem has impacted HealthCare.gov or Medicare.gov, we remain vigilant in responding to cybersecurity events."

Ahead of the current open enrollment season, which began in November 2014 and closes Feb. 15, CMS invested in new detection tools, and in its cyber response, as well as adding to its cybersecurity team, a spokesperson said. To date, according to CMS, no personally identifiable information has been accessed or stolen by hackers or others with malicious intent from HealthCare.gov or Medicare.gov.

Outside help

Like Sony Pictures Entertainment after it was hacked last November, Anthem has hired cybersecurity firm Mandiant to help investigate the hack.

Anthem already had a good idea of the data stolen before hiring Mandiant a few days ago, said David Damato, managing director of Mandiant's parent firm FireEye Inc. He said it was unusual for a firm to have that level of forensics detection before an investigation begins.

Mandiant's team is working alongside the FBI, feeding malware and IP addresses to the agents to check against "their intelligence and give us some initial indication on the context," said Damato, who spoke to FCW from Anthem's war room for dealing with the hack, at its Indianapolis headquarters. He said the malware found on Anthem’s network was sophisticated, customized and not publicly available.

Damato said it was too early to say whether, given the sophistication of the malware, a nation-state was behind the hack.

In August, the FBI formally warned the health care industry that hackers were targeting companies for intellectual property and possibly personal information like the kind stolen from Anthem, according to a Reuters report.

NEXT STORY: Secret Service needs a CIO

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.