The data of up to 80 million people that hackers stole from health care insurer Anthem's database was not encrypted, sparking questions about whether the company had properly protected the information.
"Because an administrator's account was compromised, no amount of encryption would have prevented this attack," said Darrel Ng, a spokesman for Anthem Blue Cross in California, after the company began warning the public Wednesday about the breach.
That might be of little consolation to consumers fretting about hackers who now have access to their Social Security and medical identification numbers, names, birthdates, street addresses, email addresses and employment information, including income data. But most security experts agree there's no single technological solution to stopping this from happening again.
INDIANAPOLIS, IN - FEBRUARY 5: An exterior view of an Anthem Health Insurance facility on February 5, 2015 in Indianapolis, Indiana. About 80 million company records were accessed in what may be among the largest healthcare data breaches to date. (Photo by Aaron P. Bernstein/Getty Images) (Aaron P. Bernstein)
"We've seen so many large breaches, whether it's Target or Sony and now Anthem, and a lot of times there are calls for encryption," said Steve Bellovin, a computer science professor at Columbia University. "Encryption is a valuable tool. Sometimes it's going to help a lot. Other times it's a lot harder than it sounds."
Others say encrypting personal data could have helped.
"They claim it's the expense. Really, there's no excuse," said Beth Givens, founder and director of San Diego-based Privacy Rights Clearinghouse. "Encryption is a not a 100 percent solution but it makes that data far less desirable for fraudsters. They don't want to take the time and effort to decode it."
Encryption is a method of using mathematical algorithms to scramble data so that it's unreadable to anyone without a key, often in the form of a password.
Anthem has declined to say exactly how it was breached, only that it was "the target of a very sophisticated external cyberattack" the FBI is now investigating. Anthem also called in a Milpitas-based security firm, FireEye, to help. The insurer said it first noticed suspicious activity Jan. 27, then confirmed the hack Jan. 29.
(Jeff Durham / Staff graphic)
A health care security network that Anthem consulted with last week, the Health Information Trust Alliance, said in a statement Thursday that "upon further investigation and analysis it is believed to be a targeted advanced persistent threat actor."
That's "often a code word for a nation state, especially China or Russia," Bellovin said, and a way for a company to say it's been breached by a sophisticated player that would have been hard to stop.
How sophisticated remains hard to verify, but what's clear is that a breach -- possibly starting with just one administrator's account -- won hackers access to tens of millions of private records.
According to Ng, Anthem's data is encrypted when it is in transit.
"But while it's in Anthem's secure environment, it is not," he said.
"Essentially because they used administrator credentials, additional encryption would not have thwarted the attack," he said. "Administrator credentials would have unencrypted an encrypted database."
Anthem's breach affected up to 80 million people, far more than the 37.5 million actually covered by the insurer as of December, according to the company's most recent earnings report. Those hacked included not just Anthem employees but also many former Anthem subscribers, many of whom long ago dropped the insurer.
"The problem we have right now is not that a system can be penetrated, it's that after it's penetrated, all the data is at risk," Bellovin said.
Contact Matt O'Brien at 408-920-5011. Follow him at Twitter.com/Mattoyeah.
Source: http://www.mercurynews.com/health/ci_27470392/anthem-hack-could-insurer-have-prevented-it