I got this message from the good folks at Anthem yesterday:
Let’s take that apart, shall we?
“Anthem was the target of a very sophisticated external cyber attack.”
I love the wording here – has anyone ever admitted to being the target of a simple external cyber attack?
“These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”
Translation: “We just released the identity thief’s treasure chest. Everything you need to open bank accounts, take out loans and generally pretend to be someone else, just ad a fake ID.”
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”
It is obvious to me that they were struggling to find some comforting news to tell us, but the fact is that most of Anthem’s customers have Health Insurance through their employers. Since they do not pay Anthem directly, Anthem does not have their credit card details.
As for medical information, most people don’t really care about others knowing what ailments they are suffering from. Indeed, most will happily tell you if you stand still long enough. It is my understanding that HIPAA, the medical confidentiality law of the land, was originally created to prevent Celebrities’ medical secrets from falling into the hands of the press. It obviously works; I didn’t find out that Michael Jackson was bald until after his death.
So… the identity thieves’ wildest dreams have come true, but stuff you don’t really care about is totally secure. It really gives you the warm fuzzies, doesn’t it?
So… what are Anthem going to do?
- Notify all customers whose details were filched. I haven’t been notified, but I have noticed a surge in the number of calls to my cell phone from numbers I don’t recognize. I made the mistake of answering one, and was greeted by a heavy Indian accent. I pretended I couldn’t hear him, and hello-hello-helloed at him until he hung up. Then I added the number to my reject list. Coincidence? Perhaps… but I doubt it.
- They are offering “free credit monitoring”. We’ll see what this looks like, but I suspect that this will be the cheapest option on the table. What they should do is offer the customer a paid subscription to an Identity protection service like Lifelock, or offer to pay the fees to lock/block your credit report with the “big three” Credit Reporting agencies. Time will tell.
Moral: If you run a big website, it’s not a matter of if you get hacked, it’s a matter of when.