Anti-Phishing, DMARC , Email Threat Protection , Fraud Management & Cybercrime

Anthem Breach: Phishing Attack Cited

Phishing Campaigns Now Targeting Anthem Members
Anthem Breach: Phishing Attack Cited

Health insurer Anthem Inc. believes that the attack that compromised up to 80 million individuals' personally identifiable information may have begun with phishing e-mails sent to a handful of its employees. This is just one of several options being investigated as the cause of the breach. The insurer also warned members that the data breach is being used as a lure by online and telephone scammers.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

Anthem, the second-largest U.S. health insurer, says that the data breach likely began as early as Dec. 10, and that related intrusions likely continued until Jan. 27, when suspicious database queries were first detected, Anthem spokeswoman Kristin Binns told the Associated Press. She added that investigators, who confirmed the breach on Jan. 29, have found unauthorized data queries that date from at least Dec. 10, although some of those queries were blocked by the company's automated defenses. The company issued its first public warning about the breach on Feb. 4.

The Anthem breach is being investigated by the FBI, together with digital forensic investigation and breach-response firm Mandiant, a FireEye company. Meanwhile, state insurance commissioners and attorneys general have launched investigations into the cyber-attack against Anthem, and a U.S. Senate committee is also examining the healthcare industry's preparedness for mitigating cyberthreats (see State Authorities Probe Anthem Hack).

Breach Triggers Phishing

The Anthem hack has already become fodder for scam artists. On Feb. 6, Anthem issued an alert to its members, warning them to beware of related scams. "These scams, designed to capture personal information - known as 'phishing' - are designed to appear as if they are from Anthem, and the e-mails include a 'click here' link for credit monitoring. These e-mails are not from Anthem." Some samples of the phishing e-mails being circulated online contain the subject line "Cyber Attack Against Anthem," and have multiple grammatical errors.

Echoing long-standing advice from security experts, Anthem recommends that members never click links in e-mails, because they may be disguised to redirect recipients to an attacker-controlled website or run a malicious script. Instead, experts' recommend that users type the address of any website they want to visit directly into their browser.

The health insurer also warns members to beware of anyone who calls them to discuss the breach. "Anthem is not calling members regarding the cyber-attack and is not asking for credit card information or Social Security numbers over the phone," it says.

Written Communications

Instead, Anthem has promised to send letters - via the U.S. Postal Service - to everyone who was affected by the breach by Feb. 20, Bloomberg reports. Anthem has said every member of one of its insurance plans or brands has potentially been affected by its database breach, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare. But Anthem was also storing data for many members of other Blue Cross and Blue Shield plans, which helps explain why up to 80 million people may have been affected by the breach.

Anthem says information that was exposed in the breach included names, birthdays, medical IDs/Social Security numbers, street addresses, e-mail addresses and employment information - including income data.

Anthem says it will offer free credit and identity theft monitoring services to all affected individuals. Those services can help consumers know if someone uses their personal details to commit some types of fraud. But they cannot prevent or block such fraud from taking place.

Security experts say Anthem members whose data was exposed are at risk of more than just financial fraud. "With the PII that healthcare providers typically possess, bad actors can do quite a bit more than acquiring new lines of credit on your behalf," says Patrick Bedwell, vice president of product marketing for threat-intelligence sharing vendor AlienVault, in a blog post. "They can also use your family's PII to create new identities and secure state or federally issued identification documents, such as driver's licenses or passports."

Biggest Healthcare Sector Breach

The U.S. Department of Health and Human Services has confirmed to Information Security Media Group that the data that Anthem says was exposed by the breach is considered "protected health information" under HIPAA. Thus while the size of the Anthem breach has yet to be fully confirmed, the incident will likely rank as the biggest health data breach since enforcement of the HIPAA breach notification rule began in September 2009.

Hackers have been increasingly targeting the healthcare sector, and the FBI has recently issued multiple flash alerts, warning of an increase in spear-phishing attacks targeting healthcare firms' and medical device manufacturers' intellectual property (see Anthem Breach Sounds a Healthcare Alarm). Such tactics are often used by so-called advanced persistent threat attackers.

The Anthem breach follows Community Health disclosing in August 2014 that information on 4.5 million of its patients had been exposed due to a data breach, which it ascribed to Chinese hackers wielding phishing e-mails.

"The industry has become, over the last three years, a much bigger target," Daniel Nutkis, CEO of Health Information Trust Alliance, tells The New York Times. HITRUST has published anonymously submitted information that relates to the Anthem breach, which it says suggests the attack was carried out by "a targeted advanced persistent threat actor."

China Link Probed

Investigators are reportedly probing whether Chinese hackers were involved in the Anthem breach (see Anthem Breach: Chinese Hackers Involved?). But many information security experts say it's far too early to attribute the attack, and have warned that the incident demonstrates how organizations are continuing to get breached by attackers employing unsophisticated tactics. Security researcher Scot Terban, a.k.a. "Dr. Krypt3ia," recommends that breach investigations - whether at Sony Pictures Entertainment or Anthem - focus less on the who, and more on the how.

"How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this exfiltration of data in the first place?" Terban asks in a blog post. "Let's talk about the organization's failures in security and how they can better shore them up to stop the next attack, instead of banging the attribution gong so loudly."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.