(Adds detail of email scam, comments from CrowdStrike and
former NSA officials; adds Intuit detail)
By Bill Berkrot and Joseph Menn
Feb 6 Health insurer Anthem Inc on
Friday warned U.S. customers about an email scam targeting
former and current members whose personal information was
suspected to have been breached in a massive cyber attack.
The No. 2 U.S. health insurer said on Wednesday that hackers
breached its computer system containing data on up to 80 million
people.
Anthem announced the warning about the email scam in a
statement, saying they purport to come from Anthem and ask
recipients to click on a link to obtain credit monitoring.
Anthem advised recipients not to click on links or provide any
information on any website.
The company said it will contact current and former members
about the attack only via mail delivered by the U.S. Postal
Service. It is not calling members regarding the breach and is
not asking for credit card information or Social Security
numbers over the phone.
Anthem said there was no indication the email scam was
connected to those who perpetrated the security breach.
The insurer acknowledged that data accessed by hackers had
not been encrypted, as is the normal practice at many companies.
"When the data is moved in and out of the warehouse it is
encrypted. But when it sits in the warehouse, it's not
encrypted," Anthem spokeswoman Cindy Wakefield said.
Anthem needs to be able to easily access patient data in
order to create the numerous reports it generates for customers
and regulators as part of doing business, Wakefield explained.
"I think that is standard practice," she added.
"How we managed our data in the warehouse has been
appropriate," Wakefield said. "No one has pointed a finger and
said you did this wrong and this is why this happened."
But Richard Marshall, a former senior cybersecurity defense
expert at the U.S. National Security Agency, said the numbers
should have been encrypted.
"Social Security numbers can be sold to people who are here
illegally," said Marshall, who now advises private security
firms. "Identity theft is a major issue."
In a separate case on Friday, Intuit Inc
temporarily halted electronic state tax return filings by its
customers after detecting what a spokeswoman said was identify
theft-driven fraudulent returns seeking refunds. She said the
fraud had not been tied to any specific breach, including that
at Anthem.
Intuit said late Friday it had resumed electronic filings of
state tax returns.
Experts at other companies said they believed that Anthem
attacks would eventually be tied to one of the most
sophisticated hacking groups in China, which security firm
CrowdStrike calls Deep Panda and which reportedly began
targeting the healthcare industry last year.
"We've seen the Deep Panda actor registering domain names
that were haelth-sector specific and could be potentially tied
to victims," said Adam Meyers, CrowdStrike vice president of
threat intelligence.
Social Security numbers and health data might interest spies
for other nations who want to build portfolios of information
about U.S. government employees, for leverage or more targeted
attacks, experts said.
Chase Cunningham, a threat researcher at security firm
Firehost and former NSA cryptology expert, said that over the
past year he had seen more searches originating from China for
broad swaths of data, instead of the previously more typical
attempts at trade secret theft.
Several U.S. states are investigating the cyber attack on
Anthem.
"The level of protection of this highly sensitive
information is very much a focus of our investigation," said
Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General
George Jepsen.
Cyber security has become a major concern for U.S. firms.
Some of the biggest data breaches reported to date include those
at retailers Target Corp and Home Depot Inc.
Wakefield said Anthem was not worrying about lawsuits by
states or customers as a result of the security breach.
"Our first priority is to determine who was impacted and to
notify our members," she said, adding that Anthem was working
with cyber security experts on ways to prevent future attacks.
The insurer has been communicating with regulators and
attorneys general in the markets where it does business,
Wakefield said.
U.S. health privacy law does not specifically require that
all sensitive data be encrypted, said Deven McGraw, a partner in
the healthcare practice of law firm Manatt, Phelps & Philipps.
"Encryption is one physical safeguard that can be very
helpful to lowering cyber security risk," McGraw said.
Anthem's shares closed down 1.1 percent at $135.69 on the
New York Stock Exchange.
(Reporting by Bill Berkrot and Karen Freifeld in New York and
Anjali Rao Koppala in Bengaluru; Editing by Don Sebastian, Lisa
Shumaker and Ken Wills)