One of the biggest cybercrimes in the history of healthcare was the result of a foreign government that hacked its way into nearly 100 computer systems operated by major health insurer Anthem Inc.Thats the chief conclusion of a newly issued report from the California Department of Insurance and six other state insurance commissions following a year-long investigation. Our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government, says California Insurance Commissioner David Jones. Insurers and regulators alone cannot stop foreign government assisted cyberattacks. “The report didnt have many details about which foreign government they believe breached Anthems corporate computer systems, why a foreign government would target a major U.S. health insurer for a cybercrime and whatif anythinga foreign nation did with the stolen electronic consumer health data.But the report, called for by insurance departments from California, Indiana, Maine, Missouri, New Hampshire, North Dakota and South Carolina, did have plenty of detail on the sheer size of the cyberattackand the high cost of putting in place better security to try and prevent a repeat.On Feb. 15, 2015 Anthem, with more than 38 million consumers directly enrolled in its various insurance company affiliates, reported a data breach that included the records of about 78.8 million consumers including about 12 million minors, says the California Department of Insurance.The data breach occurred when an employee at an unnamed Anthem subsidiary opened a phishing e-mail containing malicious content. Opening the e-mail permitted the download of malicious files to the user’s computer and allowed hackers to gain remote access to that computer and at least 90 other systems within the Anthem enterprise, including Anthem’s data warehouse, says the California Department of Insurance.In the wake of the data breach, Anthem has spent nearly $260 million developing better security programs although Anthem didnt release many details.Specific costs included $115 million in security improvements, $112 million to supply credit protection service to customers who had their records stolen, $31 million to notify the customers about the breach and related communication services and $2.5 million to hire security and technology consultants.Within two weeks of discovering the breach and following discussions with the lead states, Anthem hired AllClear ID, a consumer credit protection company, to offer credit protection services to all breach-affected consumers for a two-year period, the report says. Additionally, because of a multi-state settlement, Anthem also agreed to offer a credit protection solution to all minors who were under age 18 when the security breach occurred.Since the immediate discovery of the cybercrime Anthem has beefed up its data security with measures such as implementing multiple authentication on various key computer systems, added privileged account management functionality, reset key user passwords and installed better monitoring capability over its databases, according to the report. The controls implemented after the data breach should improve Anthems ability to detect future breaches and enable Anthem to respond more effectively to a future attack in this instance, the report says.Anthem has yet to respond publicly to the final report and did not name who it thinks was responsible for the cybercrime. The California Department of Insurance along with other state insurance regulators also didnt disclose which foreign country they think was responsible.But the regulators say they are certain the Anthem cyberattack was initiated overseas. The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyberattacks on insurers, much as the President did in response to Russian government sponsored cyber-hacking in our recent presidential election, Jones says.

Favorite