On Feb. 9, USA Today reported that the first lawsuits have already been filed as a result of the data breach experienced by the Indianapolis-based Anthem Health, and which Anthem had disclosed on Feb. 4. According to the USA Today report, at least four had been filed by Monday morning, in Indiana, California, Alabama, and Georgia.
The breach of data security at the nation’s second-largest health insurance company, had been detected on Jan. 27, when an Anthem IS administrator discovered that outsiders were using his own security credentials to log into the company’s information system and stealing data. The hackers had succeeded in penetrating the system and stealing customer data sometime between Dec. 10 and Jan. 27, with attempts possibly having been made earlier in 2014, according to Anthem spokesperson Kristin Binns.
Hackers had gained access to a company database that included members’ names, birthdays, Social Security numbers, addresses, and employment data, including income, but not credit card information.
Monday morning’s USA Today story included quotes from David Damoto, managing director at FireEye, a security firm brought in to help Anthem analyze the data breach, which may have affected up to 80 million people. “We… saw evidence that the attacker was interested in very specific information, in this case, the database,” Damoto told USA Today. “They did very methodical reconnaissance into the database,” adding that “Attribution takes a lot of data. I think everyone’s just speculating” as to whether Chinese hackers might have been involved, as some press reports citing unnamed sources have stated. “At this point in time, we’re working very closely with the FBI and we haven’t jointly provided any attribution,” Damoto added.
As the USA Today report noted, “Some have questioned why Anthem would have maintained a single database containing information about 80 million current and former members. However,” the report added, “in the healthcare industry, such databases are useful, said J.J. Thompson, the CEO of Rook Security, an Indianapolis-based computer security firm.”
The story quoted Thompson as saying, “If I have my security hat on, I’d say, ‘Never put all your eggs in one basket.’ But in the healthcare world, having the database could lead to better patient outcomes. But it should have been encrypted. I hope it was encrypted.”
All four lawsuits referenced in the USA Today article are class action lawsuits, filed against anthem and/or its affiliate subsidiaries or units, on behalf of large groups of plaintiffs. The Indiana suit, filed in U.S. District Court for the Southern District of Indiana, Indianapolis Division, on Feb. 5, includes in its opening statement, the following: “Anthem’s conduct—failing to take adequate and reasonable measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers’ financial account and personal data, and failing to provide timely and adequate notice of the Anthem data breach—has caused substantial consumer harm and injuries to consumers across the United States.”
Healthcare Informatics will continue to update readers on developments in this situation, as new developments emerge.