About 80 million Anthem customers and employees have had their personal information exposed in what security analysts believe is the biggest cyber theft in the history of the health care industry. There is no indication whether the information obtained has been misused.
Anthem is the current network provider and claims administrator for UC SHIP, the university health insurance plan at UC Santa Cruz. Undergraduate students can pay $805 a quarter for access to coverage from Anthem Blue Cross.
Information accessed includes names, birthdates, addresses, telephone numbers, email addresses and employment information but does not include students’ social security numbers.
“Luckily our students’ social security numbers and their medical information have not been breached,” said Student Health Center Ancillary Services Coordinator and senior pharmacist Diane Lamotte. “That is what we know so far and those are the two most important things that we at the Student Health Center are concerned about for our students.”
Anthem recently announced that it’s offering identity theft protection to current and former members as a result of the breach. Victims of the hack will be contacted by postal mail once Anthem has confirmed the number of members affected.
“We had Anthem plans from 2003 to 2013 so we have many former members who are possibly caught up in [the hack],” said Benefits Manager and Health Care Facilitator Frank Trueba.
Though the breach doesn’t expose medical information or credit card and bank account numbers, customers were targeted via email a few days later as a part of a phishing scam to obtain financial information.
The phishing email scams were designed with the Anthem logo and asked customers to click on a link to receive “free credit card account protection” to protect themselves from the recent breach. There’s no evidence the hack and the phishing scam were conducted by the same party.
Computer science professor and Symantec Presidential Chair in Storage and Security Ethan Miller said the tactic behind the phishing scam is to obtain further personal information to convince credit bureaus of your identity.
“Private information like this isn’t useful in and of itself,” Miller said. “If I get your social security number, it doesn’t do me any good to know what nine digits go with your name. It’s only being able to use it for something, applying for credit cards in your name or phishing to try and get information about your bank accounts.”
Anthem hasn’t announced if it plans to change its security system in the future. Many have criticized Anthem for not encrypting the social security numbers within its database. However, encryption doesn’t necessarily mean hackers cannot access information.
“Encryption is not the panacea that everybody makes it out to be,” Miller said. “The reason I say this is encrypted data only helps so far. If you’re familiar with the Edward Snowden leaks, that data was encrypted but he had the key.”
Miller said these situations are avoidable and advises students and faculty to always randomize passwords for different sites because it is easier to expose personal information if the same password is used on a bank account and Facebook.
Miller advises all smartphone users to download two factor authentication to avoid outside access to personal information. Two factor authentication provides an extra layer of security in which the user must provide two sources of identification. For example, a credit card as well as a security code.
The Student Health Center has been in contact with Anthem to discuss how the hack is affecting students.
“At a health center directors meeting, Anthem sat on the phone and responded to us right away,” senior pharmacist Lamotte said. “They were scrambling, but they didn’t back down or hide. They answered every question we asked. In general, we feel they’re being as forthcoming as possible.”