It happened again.
Earlier this month, one of the nation’s largest health insurers, Anthem, said that the personal information of tens of millions of its customers and employees, including its chief executive, was the subject of a “very sophisticated external cyberattack.”
As the New York Times reported, the company, which is continuing its investigation into the scope of the attack, said hackers were able to breach a database that contained as many as 80 million records of current and former customers, as well as employees. The information accessed included names, Social Security numbers, birthdays, addresses, email and employment information, including income data.1
Anthem said no credit card information had been stolen, and it stressed that it didn’t believe medical information like insurance claims or test results were compromised. It said hospital and doctor information was also not believed to have been taken.
Still, the attack could be the largest breach of a health care company to date, and one of the largest ever of customer information, the Times noted.
That’s saying something when you consider that the last year has seen an increasing number of sophisticated and ever-larger hacks on corporate networks — and even on federal government social media accounts.
Just two months ago, office supply retailer Staples said hackers had broken into the company’s network and compromised information of about 1.16 million credit cards when they broke into the company’s network in October.
JPMorgan Chase, the nation’s largest bank, said last summer that hackers had compromised some of the personal information of 83 million households and small businesses, albeit in an attack limited to nonfinancial information such as customer addresses, phone numbers and email addresses.
And in November, hackers that the US government has said had ties to the North Korean government orchestrated a destructive attack on Sony Entertainment that resulted in a flood of confidential executive emails and personal information about employees and the company’s plans for coming movies.
As the roster of corporate victims has expanded, so has the perception for cyber security products and services, at least from the standpoint of investors who have been bidding up the stock prices of related companies.
The Cyber Security motif, for example, has gained 25.9% in the past six months. Over that same period, the S&P 500 has increased 8.8%.
In the past 12 months, the motif has risen 12.9%; the S&P 500 is up 17%.
The Times noted that security experts have no expectations that these kinds of mega attacks are over — especially in the health care field, due to the high value of data on the black market.2
As a rich source of personal information, health care organizations — like hospitals, doctors’ offices and insurers — are increasingly going to be vulnerable to attacks. “Anthem is not the last of these organizations,” Cameron Camp, a data security researcher for ESET, told the Times. “We’re going to see that style of attack again.”
Medical identity theft is on the rise, experts say, because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert told the Times that at one auction a patient medical record sold for $251, while credit card records were selling for 33 cents.
That could bring more worries for consumers, while at the same time supplying the investment thesis for cyber security bulls.
1Reed Ableson and Matthew Goldstein, “Millions of Anthem Customers Targeted in Cyberattack,” nytimes.com, Feb. 5, 2015, http://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html, (accessed Feb. 16, 2015).
2Reed Abelson and Julie Creswell, “Data Breach at Anthem May Forecast a Trend,” nytimes.com, Feb. 6, 2015, http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html, (accessed Feb. 16, 2015).