In comments to one of our previous posts on this topic, Co-Blogger Bob makes a terrific point:
"Not taking anything away from Mandiant as they are the "A team" when it comes to tracking down hackers ... Most companies do very little when it comes to cybersecurity and many (mo st?) have probably been hacked and just don't know it."
This morning, the Wall Street Journal reported that "Anthem Inc. stored the Social Security numbers of 80 million customers without encrypting them." On the face of it, this seems pretty unconscionable.
But is it?
I reached out to several of our carriers, and to AHIP (America’s Health Insurance Plans), which represents (most of) the carriers. I had but one question:
"Is this an egregiously unusual oversight, or industry standard?"
That is, is Anthem an outlier here, or do most carriers leave that kind of information unencrypted? The folks at AHIP were kind enough to send me a copy of the HHS regs on the subject, but also told me that they'd not surveyed their members on it, so can't tell me whether or not this is SOP.
I'm still waiting to hear back from my carriers, and will update this post as appropriate.
JUST IN from Anthem:
Members who may have been impacted by the cyber attack against us should be aware of scam email campaigns targeting current and former members. These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from a health plan and the emails include a “click here” link for credit monitoring. These emails are NOT from us.
• DO NOT click on any links in email.
• DO NOT reply to the email or reach out to the senders in any way.
• DO NOT supply any information on the website that may open, if you clicked on a link in email.
• DO NOT open any attachments that arrive with email.
We are not calling members regarding the cyber attack and are not asking for credit card information or social security numbers over the phone.
"Not taking anything away from Mandiant as they are the "A team" when it comes to tracking down hackers ... Most companies do very little when it comes to cybersecurity and many (mo st?) have probably been hacked and just don't know it."
This morning, the Wall Street Journal reported that "Anthem Inc. stored the Social Security numbers of 80 million customers without encrypting them." On the face of it, this seems pretty unconscionable.
But is it?
I reached out to several of our carriers, and to AHIP (America’s Health Insurance Plans), which represents (most of) the carriers. I had but one question:
"Is this an egregiously unusual oversight, or industry standard?"
That is, is Anthem an outlier here, or do most carriers leave that kind of information unencrypted? The folks at AHIP were kind enough to send me a copy of the HHS regs on the subject, but also told me that they'd not surveyed their members on it, so can't tell me whether or not this is SOP.
I'm still waiting to hear back from my carriers, and will update this post as appropriate.
JUST IN from Anthem:
Members who may have been impacted by the cyber attack against us should be aware of scam email campaigns targeting current and former members. These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from a health plan and the emails include a “click here” link for credit monitoring. These emails are NOT from us.
• DO NOT click on any links in email.
• DO NOT reply to the email or reach out to the senders in any way.
• DO NOT supply any information on the website that may open, if you clicked on a link in email.
• DO NOT open any attachments that arrive with email.
We are not calling members regarding the cyber attack and are not asking for credit card information or social security numbers over the phone.