First really big data breach of 2015 with personal information of tens of milliions affected

February 8, 2015 |

Anthem, one of the United States largest health insurers has been subject to a sophisticated cyber attack.  Records of in excess of 80 million have been compromised. This makes it a huge data breach. It is reported in Millions of Anthem Customers Targeted in Cyberattack and Massive Anthem health insurance hack exposes millions of customers’ details which provides:

Health insurer Anthem Inc, which has nearly 40 million US customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees.

The No 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers.

The information accessed during the “very sophisticated attack” did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.

Anthem said that it immediately made every effort to close the security vulnerability and reported the attack to the FBI. Cybersecurity firm FireEye Inc said it had been hired to help Anthem investigate the attack.

The company did not say how many customers and staff were affected, but the Wall Street Journal earlier reported it was suspected that records of tens of millions of people had been taken, which would likely make it the largest data breach involving a US health insurer.

Anthem had 37.5 million medical members as of the end of December.

“This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information,” US representative Michael McCaul, a Republican from Texas and chairman of the committee on homeland security, said in a statement late Wednesday.

The FBI had warned last August that healthcare industry companies were being targeted by hackers, publicising the issue following an attack on US hospital group Community Health Systems Inc that resulted in the theft of millions of patient records.

Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.

Security experts say cyber criminals are increasingly targeting the $3tn US healthcare industry, which has many companies still reliant on ageing computer systems that do not use the latest security features.

Anthem said it would send a letter and email to everyone whose information was stored in the hacked database. It also set up an informational website, and will offer to provide a credit-monitoring service.

The cause has prompted phishing attacks by fraudsters as reported in  Phishing attacks prey on victims of massive Anthem health insurance hack which provides:

Fraudsters and hackers have seized on this week’s massive hack of Anthem — the second largest health insurance company in the US — as an opportunity to perpetrate phishing scams. Cybercrime journalist Brian Krebs reports that subscribers past and present to Anthem services like Blue Cross Blue Shield have started receiving phishing emails that purport to be from the company.

The emails promise free credit monitoring service, and encourage recipients to click on a link in the email to enable a free year of credit card protection. Anthem has confirmed to Krebs that while it will be offering a credit monitoring service, it has not yet sent out any such emails. Making matters worse, some have received cold calls from fraudsters who claim to be with Anthem. Both are clearly illegitimate and likely seek to obtain sensitive information for nefarious uses.

In a press release, Anthem notes that it will not email nor phone customers with information on credit monitoring services. Instead, it will send letters to affected households soon.

anthem phish

It’s not clear if the data obtained from the breach — which affected upwards of 80 million people — is being used to carry out these phishing scams, or if scammers are merely playing the numbers game and hoping the messages and calls find their way to Anthem customers.

The hack, which was announced this past week, compromised tens of millions of Social Security numbers, names, birth dates, addresses, and phone numbers, as well as corresponding employment information and member numbers. The information was unencrypted. There’s no sign yet that the data has been distributed publicly, and some experts suggest that the hack was carried out by sponsored Chinese agents as part of broader espionage efforts on a select individuals.

Given the number of data breaches last year and this latest breach it is little wonder that there has been an increase in work for those with skills as reported in the New Jersey Law Journal with Client Cybersecurity Demands Drive Burgeoning Practices which provides:

William Hughes recalls being at a client’s office at 3 a.m.—in the midst of responding to an ongoing cyberattack—when they discovered that the hackers learned of law enforcement’s involvement by infiltrating an employee device.

“It was scary,” said Hughes, a former federal prosecutor who heads the cyber risk management practice at Cooper Levenson April Niedelman & Wagenheim in Atlantic City, N.J. “Their knowledge of not just our client, but the investigation, was mind-boggling. … It is something out of the movies,” Hughes said of the breach, perpetrated about two years ago on a provider of cloud-based services he declined to identify. “It just opens up a whole Pandora’s Box of issues.”

Those issues commonly require a lawyer’s involvement, and firms that developed specialized practices in advance of last year’s barrage of data breach headlines said they’re feeling the increase in demand for cybersecurity counsel.

The risks appear to be more than reputational: one lawyer cited the average cost of a breach, per record compromised, at $30; another, at $200.

“There’s certainly been a growth in this [practice] area at every level,” but many companies, especially in unregulated industries, are “not so much focused on this,” said Fernando Pinguelo, chair of the cybersecurity and data protection practice at Scarinci & Hollenbeck’s Ocean, N.J. office.

“It’s unfortunate because there are simple steps that can be taken to line up the right people,” Pinguelo added. “Businesses need to do more than just talk about this. … They want to be able to pick up the phone and get a human being who is able to orchestrate what their next steps are.”

The first of those steps is to assemble a team of experts equipped to deal with a breach in fields such as forensics, investigation and public relations, firms said.

“As a lawyer, I typically serve as the quarterback coordinating a multidisciplinary group of professionals,” Pinguelo said.

Scott Christie, a partner in Newark-based McCarter & English’s cybersecurity and data privacy practice, said, “That’s why the lawyer who’s coordinating that needs to walk the walk and talk the talk. … It’s vital for an attorney who professes to do cybersecurity work have not only the legal background, but the technical background.”

Also, the privilege-related benefits of a lawyer leading the response team were pointed up by numerous firms.

Christie agreed that demand for cybersecurity services—”driven by the fear of bad consequences”—is high.

A decade ago, “companies would be interested” in data security, “but they’d have so many other demands on their limited resources, it was not necessarily a priority for them,” according to Christie, who previously led the Computer Hacking and Intellectual Property Section at the U.S. Attorney’s Office in New Jersey. “[Now] people are much more aware and willing to spend the money.”

Leading a breach response is only one facet. Cybersecurity practitioners can, directly or via consultants, develop comprehensive breach-response plans, draft written policies, help train employees, provide penetration testing, update policies based on changes in the law, or coordinate victim or law enforcement notification in the event of a cyberattack.

And with a federal data security law in the works but not yet passed, there’s a web of at least 47 state laws with which to contend, lawyers said.

Companies, at some point, can “walk on their own,” but “first you’ve got to know” what data is being stored, where it’s being stored, how long it must be stored, as well as the most efficient way to secure it, Christie said. “When you get that under control … they can do more of it in-house.”

Lawyers pointed out that the majority of these services are provided well before any cyberattack.

“You need to deal with the breach before it occurs—you want to have that plan in place,” said Angelo Stio III, of the Princeton, N.J., office of Philadelphia-based Pepper Hamilton. Stio is part of the firm’s privacy, security and data protection group, as well as its data breach response team. “You want to set things in motion internally and externally. Externally, who’s your lawyer? Who’s forensics? Is there an insurance carrier involved?”

The hack handled two years ago by Cooper Levenson was a “zero-day attack”—one that exploits a software or system flaw that had not been previously detected. A network of hackers in the U.S., Europe and Russia participated, and the personal information thieved by such an attack might fetch six figures on the black market, according to Hughes, who previously was in the computers and finance section of the U.S. Department of Justice’s Antitrust Division and, after that, at the U.S. Attorney’s Office for the District of New Jersey.

Typically, “they’re not people who are my age,” Hughes, 48, said. “These are kids who do nothing but sit at a computer all day, who know coding inside and out.”

Still, some companies’ infrastructures are no match, Hughes and two associates in the practice group said.

“There’s completely unrealistic expectations on what IT departments can do,” said one, Peter Yu, also a former Justice Department attorney. “The expectation is that those IT folks, who have no training in cybersecurity, secure the system against highly, highly sophisticated hackers.”

Michael Salad, another associate in the group, added that while some IT staffers have security training, outside consultants can offer vulnerability and protection testing. “Some of the most sophisticated clients will find several dozen places where they can improve.”

The trouble isn’t over once a breach is addressed and reported, they pointed out: nonlaw enforcement agencies may come calling.

“Once a company gets on a radar screen in one area, there is a risk they become subject to scrutiny in other areas as well,” Hughes said.

Sandra Jeskie—who leads the Philadelphia-based Duane Morris’ information technologies and telecommunications group and is former president of the International Technology Law Association—noted that a breach isn’t always a hacker’s doing.

“The thing that … just doesn’t get as much press as it should, and should be more focused on in corporations, [is] the inadvertent disclosures,” Jeskie said, adding that even a lost laptop or a mistakenly addressed email can trigger a legal reporting requirement.

Gregory Parks, co-head of the privacy and cybersecurity practice at Morgan, Lewis & Bockius in Philadelphia, a litigator by training, said he now devotes most of his time to his cybersecurity practice. A total of about 85 lawyers firm-wide are handling such matters to one degree or another, he said.

Last year’s data-breach headlines prompted an uptick in calls from clients, Parks added.

“It is absolutely a constantly evolving thing,” he said. “This is something that every company needs to work on constantly, all the time. You can never say, ‘OK, we are done with cybersecurity.'”

Developing a Cybersecurity Practice

Launching a cybersecurity practice requires significant groundwork. Some lawyers went as far as saying that it’s simpler for a technology professional to learn the law than it is for a lawyer to learn technology.

When e-discovery rules in New Jersey and elsewhere were in flux in 2006, that was “a unique opportunity to delve into these issues deeper,” according to Pinguelo, who said addressing technical issues in litigation and non-litigation matters, as well as working with legislators, helped him develop a core of knowledge. “I can’t think of a better way to bone up on these issues than to be on the front lines.”

Stio said “law firms have started to recognize that this is an area where the law is changing,” but “those on the forefront started doing that seven-to-10 years ago.”

“Any lawyer that is going to engage in this type of practice is going to find a way to educate themselves on these kind of laws,” Stio said, adding that Pepper Hamilton’s breach response team includes lawyers from various practices, some of them industry-based: litigation, labor and employment, corporate and securities, white collar defense, health care, and financial services.

Marketing, at this stage, is mostly through word-of-mouth, lawyers said, though even that is challenging when “companies are loath to disclose publicly that they’ve had a data privacy problem,” according to Christie. Still, client referrals are becoming more common, he said.

Billing for cybersecurity work is approached differently depending on the firm. At Morgan Lewis, a lot of the work is done on an hourly basis, but some tasks, such as developing an incident-response plan or conducting privacy audits, lend themselves to fixed fees, Parks said.

Timothy Blank and Vernon Francis, who co-chair the cybersecurity and data privacy group at Dechert in Philadelphia, said billing for cybersecurity work is approached the same as any other practice, though some tasks, particularly litigation and government investigations, are suited to hourly billing. Dechert, like Morgan Lewis, is willing to conduct audits for a fixed fee, they said.

Pinguelo, who teaches an e-discovery course at Seton Hall University School of Law, said client demand for cybersecurity services will continue to grow, but building a strong practice takes time.

“Any firm looking to get in this area—they need to recognize that,” Pinguelo said

One Response to “First really big data breach of 2015 with personal information of tens of milliions affected”

  1. First really big data breach of 2015 with personal information of tens of milliions affected | Australian Law Blogs

    […] First really big data breach of 2015 with personal information of tens of milliions affected […]

Leave a Reply