The California Department of Insurance has released its findings and settlement agreement in regards to the security breach of the insurance company Anthem. More than 78 million patient records, 12 million belonging to minors, were breached Jan. 27, 2015.
"This was one of the largest cyber hacks of an insurance company's customer data," said California Insurance Commissioner Dave Jones. "Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach. In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government. Insurers and regulators alone cannot stop foreign government assisted cyber-attacks."
Anthem’s examination team, which partnered with information security firm Mandiant, found the data breach began Feb. 14, 2014, when a user at an Anthem subsidiary opened a corrupted phishing email. The email then allowed the hacker(s) to download malicious files onto the user’s computer, giving hackers access to 90 other Anthem systems that included Anthem’s data warehouse.
In an investigation of Anthem’s pre-breach preparedness, response adequacy and post-breach response and actions, cybersecurity firms found that Anthem had taken appropriate measures before the breach in protecting its data. The team also determined Anthem had integrated a proper plan post-breach, which led to a quick response to the detected breach. The investigative team was able to find Anthem’s weaknesses and develop a plan to fix these weaknesses. As a result, the new plan was found to be reasonable in its data protection.
The team also discovered the origin of the attacker was on behalf of a foreign government. The exam team advised that previous attacks from this foreign county have not resulted in information being shared to non-state actors.
In addition to making improvements to its information security systems, Anthem has also provided credit protection to consumers whose information was breached and is paying more than $260 million for security improvements and remedial actions following the breach. Anthem is also offering credit protection to all minors under 18 following the breach.