The second largest health insurer in the US admitted last night it was the target of a massive hack that resulted in as many as 80 million customer and employee records being compromised.

According to a statement from Joseph R. Swedish, CEO of Indianapolis-based Anthem Inc., the attack came to light last week. Cyberthieves stole large amounts of personal data of past and present customers — including names, birthdays, medical ID and social security numbers, street addresses, email addresses and employment information, including income data.

But Swedish, apparently trying to look at the bright side, added that no credit card or medical records, including claims, test results and diagnostic codes, were targeted compromised ... at least from what investigators can determine right now.

Bringing in the Troops

Swedish added in the statement that Anthem has closed the security gap, contacted the FBI and retained the cybersecurity firm Mandiant to evaluate its systems and identify solutions.

The fact that Swedish claims his own personal information was compromised is likely to provide little consolation to the other victims of the attack. Anthem plans to contact all affected customers — as required by US law — and provide credit monitoring and identity protection services free of charge.

The attack exposed customers in all Anthem’s business units, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.

In fact, according to its own figures, one in nine Americans is covered by one of Anthems affiliated plans, which makes this attack about as bad as it can get.

Market Data

It's disturbing enough when hackers access credit card data, as they did at Target and Home Depot. But in those cases, consumers have recourse: they can easily obtain a new credit card and are not responsible for any unauthorized charges made by the illegal use of their card numbers.

However, the problem Anthem is a different issue entirely because the data is so extensive. With everything from names and birth dates to Social Security numbers and the names of employers, victims are at risk of full-scale identity theft. 

Candid Wueest, a threat researcher with Symantec, pointed out in a blog post in December that there is a huge market for stolen data.

Prices for illegal goods and services can vary widely, depending on what’s offered, but bargains exist even for cybercriminals on the tightest budgets. Attackers can pick up stolen data and compromised accounts for less than a dollar. Larger services, such as attack infrastructure, can cost anything from a hundred dollars to a few thousand. However, considering the potential gains that attackers could make by using this infrastructure, the upfront cost may be worth it for them,” he wrote in a blog post.

Prices have dropped for some of the data offered, such as email accounts, but they remain stable for more profitable information like online bank account details. In 2007, stolen email accounts were worth between $4 and $30. In 2008, prices fluctuated between $0.10 and $100. In 2009, the price hovered between $1 and $20.

Today, you can get 1,000 stolen email accounts for $0.50 to $10. The latest pricing is a good indication that there is now oversupply and the market has adjusted accordingly, the research showed. Other bargains, Wueest said include:

  • Scans of passports, $1 to $2
  • Stolen gaming accounts, $10 to $15
  • Custom malware, like tools for stealing Bitcoins, $12 to $3,500
  • Stolen cloud accounts, $7 to $8

You can even send spam to 1 million verified email addresses for as low as $70, he noted.

Unhealthy Hacks

According to the Identity Theft Resource Center (ITRC), which tracks data breaches, a record number of attacks occurred in 2014. The health and medical sectors are increasing targets, it noted with medical and health-care entities accounting for 42.5 percent of reported data breaches last year.

In a report last November, based on research involving records of data breaches available from the US Dept. of Health and Human Services (HHS), security firm Bitglass found 70 percent of incidents since 2010 were caused by loss or theft of devices and files and 23 percent were linked to hacking.

Citing an 2013 EMC report on cybercrime in the health industry, Bitglass also noted that the value of stolen health records on the black market is, on average, $50, while a stolen Social Security number gets a mere $1.

It is impossible to estimate how much this breach is going to cost Anthem, but the Bitglass report also offers insight.

It cites the example of Community Health Services, a Fortune 500 group of 206 hospitals in the US where a vulnerability was used to steal user credentials and gain network access last year. The result was the theft of 5.4 million patient names, addresses, phone numbers and social security numbers.

Bitglass estimates that this costs between $75 million and $150 million in fines, security upgrades and related cost. Even if only a few tens of millions have been affected in the Anthem attack, the cost of this single incident will be a sore point for some time to come, while the damage to its reputation is incalculable.

Preventing Attacks

Rajiv Gupta, CEO of Skyhigh Networks, a security firm, said companies have an obligation to be proactive to prevent the loss of data. 

  • Enforce two-factor authentication to reduce the likelihood that a stolen credential by itself is sufficient to gain access to a mission critical system
  • Enforce role-based access control for corporate systems, so that no single credential has unfettered access to all data
  • Implement security intelligence systems that provide visibility into cloud usage and identify anomalous behavior