The call for more systemic changes to prevent mega-hacks is getting louder after hackers hit Anthem, the nation's second-largest health insurer. The company says cyberthieves gained access to the addresses, employment information and Social Security numbers of 80 million customers and employees.
Eighty million individuals is a lot — it's roughly the populations of California, Texas and Illinois combined.
"It's large in health care. It's probably the largest health care breach that we've seen, and maybe that the government has seen," says Katherine Keefe, who leads global cybersecurity response for Beazley, which insures businesses against data breaches.
Keefe is not working with Anthem on this but does help protect other insurers. She says health data — should hackers get to the information — are especially lucrative on the black market, where hackers sell the data they steal.
"A data set containing health information alone, diagnosis information or treating physician name and information can get $40 to $50 per record on the street, on the black market versus one credit card number [which] can garner between $4 and $5 on the street. So you see kind of the relative weights," Keefe says.
In this case, Anthem spokesman Tony Felts says hackers didn't get to highly sensitive medical information, like test results or past claims.
"At this time there is no evidence that banking, credit card or medical information was targeted or compromised in this attack," Felts says.
But the insurer is working hard to clean up what's been breached. It's following the playbook of what companies have to do now, in the age of the mega-hack. Whether it's retailers like Target and Home Depot, or big banks, like JPMorgan Chase, the hacks are continuing.
"We're going to need federal legislation to address security issues to keep these huge hacks from happening," says Waldo Jaquith, who leads U.S. Open Data, which works with the public sector and private companies to better understand, store and share data.
The Obama administration has already proposed a data protection act — which would require companies like Anthem to publicly disclose they've been hacked within 30 days. Anthem disclosed its breach within a week. So experts like Jaquith say it's not enough to require reporting after a hack. He suggests putting minimum security requirements into law — like requiring much stricter passwords and customer authentication.
"Our lives are mediated by digital technology now," Jaquith says. "So we can no longer pretend that what happens on the Internet isn't real life. My health data, the history of my health data is very much my life. And we need requirements in place to ensure that a minimum level of security is in place to protect crucial data about everybody's lives."
Until there are more systemic changes, consumers are left feeling pretty helpless.
"We are helpless, yes. There are individual things we can do like have better passwords. But in the end it's up to companies like Anthem to get their act together," Jaquith says.
Anthem has started a dedicated website and phone number (877-263-7995) for consumers who were affected or think they may have been affected by this breach. The company is working with federal investigators and a private firm to find out how this hack happened.
Copyright 2020 NPR. To see more, visit https://www.npr.org.