Details Emerge of Anthem HIPAA Breach

The colossal security breach at Anthem Inc, which exposed the Social Security numbers and personal details of 78.8 million plan members, is understood to have involved data from as early as 2004. The investigations are ongoing and it is currently not known exactly how many of its members have been affected.

A recent U.S. News and World Report indicates that hackers previously attempted to access the system as early as December 10, 2014. Anthem’s announcement of the breach indicated that January 27, 2015 was the first occasion that access had been gained. Anthem Spokeswoman, Kristin Binns, did not confirm the exact date of the breach, but later announced that “The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27”.

Forensic investigators have discovered a number of network access attempts that all carry the same hallmarks, and it would appear that numerous unauthorized data access queries were made during this period using the login credentials of five Anthem Technical workers. The company’s security system appears to have deflected these previous access attempts.

It is not yet known how their login credentials were obtained although hackers have previously accessed healthcare computer systems using malware and phishing scams to obtain passwords and access codes.

There has been a great deal of speculation about the controls Anthem had in place to secure the data. The company elected not to use data encryption, which in itself is not a breach of HIPAA Rules, but the Security Rule does demands that technical, administrate and physical safeguards be put in place to protect data. If the Office for Civil Rights discovers a lack of appropriate safeguards it has the power to issue a substantial financial penalty.

Further Warnings from Anthem


Following the breach a number of Anthem members have been targeted with a phishing scam that attempts to trick members into revealing their personal details. No notifications have been sent by Anthem as the company has not yet confirmed who has been affected, but the company is warning its plan members not to open any attachments, click on any links or divulge any details if they receive an email with the company’s name and logo in relation to the data breach.

The company also confirmed that “Anthem is not calling members regarding the cyberattack and is not asking for credit card information or social security numbers over the phone.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.