Anthem breach: Vendors never let a good crisis go to waste

5 Comments

Credit: Qoncept

Given this week’s news of a potentially huge security breach at insurance provider Anthem, security vendors of all types are eager to give advice, and, oh, get their company names in front of affected consumers or (better yet) other big companies spooked by what happened to Anthem.

The [company]Anthem[/company] breach, in which hackers accessed names, addresses, birth dates, medical ID numbers and social security numbers of customers, could affect up to 80 million people.

So, what could Anthem do better going forward? According to what showed up in my inbox, it should apply file-level protection (Varonis), use fraud detection and behavioral analysis (NuData Security), apply cloud-based security (Zscalar) and speed up disclosure and response (Co3 Systems and Incident Response Management Systems). You get the picture.

Given that no one outside of Anthem, its vendors and maybe the hackers, actually knows what systems it had in place, it seems rather presumptuous for security vendors to insert themselves as would-be saviors, but such is the way of corporate PR.

And now for the real victims

So now that we know what security companies thinks other customer-facing vendors should do — which is basically, “buy our stuff” what about the  poor schlubs whose information was stolen? What are they supposed to do? Well there was the usual advice from the National Consumers League and others.

People should be more suspicious than usual of email from unknown people — bad guys use email to launch phishing attacks. Don’t open messages from anyone you don’t know; don’t click on links in email unless you’re sure where it will take you (hover over the link to see if the URL looks legit); don’t respond to odd email if you happen to open it. Stop reusing passwords across sites or, better yet, get a password manager. Use two-factor authentication. Yaddayaddayadda.

If you suspect credit card fraud, get your credit reports or credit score updates (Credit Karma is a good and free service), although, as NBC reported, the credit agencies will not catch medical identity theft. In that scenario, a person’s purloined medical ID number could be used at hospitals, ERs and pharmacies to get care and drugs, “racking up charges and wrecking victims’ medical records.”

The best way to detect medical ID theft is to scrupulously check your Explanation of Benefits documents each and every time. And make sure to shred all medical documents.

At this point, given all the breaches at Target, Home Depot, JPMorgan Chase and now Anthem, it’s probably safe to assume that some of your information is already “out there,” so do as much as you can yourself to protect your assets. No vendor is going to do it for you.

5 Comments

Scott Hogrefe

The media never lets a good crisis go to waste either. It takes two to tango and a fine reporter such as yourself can control what you write/choose to include. As a consumer I do assume that my information is already out there, but I’m not as cynical to believe that vendors can’t help or offer up expert advice on what to do. Are they trying to get airtime/sell their stuff? Sure. Is that disingenuous? Not always. Would you say the same thing about a non-profit pitching their program and raising money directly after a natural disaster?

Dr Doom

Perhaps you could’ve given some advice on what consumers *can* do? SSNs were stolen from Anthem – and that includes past and present members, and minors e.g. children covered under their parents’ plan.

Credit Freeze will prevent thieves creating new accounts in your name. What can be done to prevent/avoid fake medical charges and fake official documents being created?

Philip Lieberman

What happened to Anthem was primarily a human process issue that was already recognized by HHS and other BCBS companies. The problem has a well-known solution (short lifetime credentials and limited scope credentials) regarding the proper use of administrative credentials that could be hijacked. Unfortunately, Anthem did not follow industry best practices in this situation and the expected outcome occurred. The problem is quick and easy to fix, but sometimes consequence is the best/only teacher.

Brady

Ironically, I currently have an ad on the side of this very article from LifeLock about this security leak.

Comments are closed.