
“Anthem was the target of a very sophisticated external cyber attack” - dev1n
http://www.anthemfacts.com/
======
Trisell
Having spent almost 4 years in healthcare IT. Very few healthcare
organizations take security seriously. There is very much a security by
anonymity ideal. I worked for a small medical company that had access to
20,000 PHI records, and I was explicitedly told, "why would anyone want to
hack us, we are small potatoes." I left that company shortly there after.

Yet companies I work with now big and small look at security as just a bunch
of checkboxes on a government audit form. As long as upper management continue
to see security as a cost loss center, and continue to only do the minimum
nessissary to pass said audits. These breaches will continue to happen.

~~~
coldcode
Exactly my experience. We had all the production passwords for servers and
databases in a text file in the repository because the chief architect didn't
like to remember passwords. When I pointed this out as a HIPAA violation the
CTO told me they passed their audits so it didn't matter.

~~~
dragonwriter
> When I pointed this out as a HIPAA violation

What provision of HIPAA does this actually violate?

Its clearly a bad practice (and obviously increase the risk of a breach,
which, if it occurs, becomes an issue under HIPAA and related laws), but AFAIK
neither HIPAA and subsequent modifying statutes nor the regulations adopted
thereunder actually mandate particular password handling practices. Or is
there something addressing that in the "guidance" issued under the HITECH act
(I remember that establishing, by reference, some standards for encryption,
and it wouldn't have been out of place for it to establish password-handling
practices)?

~~~
xenophonf
Covered entities must "[protect] against any reasonably anticipated threats or
hazards to the security or integrity of such [electronic protected health
information the covered entity creates, receives, maintains, or transmits]"
(45 C.F.R. § 164.306(a),
[http://www.law.cornell.edu/cfr/text/45/164.306](http://www.law.cornell.edu/cfr/text/45/164.306)).
Storing passwords in the clear "obviously increase [sic] the risk of a
breach", hence this is a reasonably anticipated threat.

HIPAA and similar laws don't codify whatever we think is good computing
practice today. Down that path lies madness. Congress would have to re-write
the law any time GCPs change, or else the law would become a hindrance to the
very goals its trying to achieve (in this case, healthcare-related information
security). Instead, the law is written more generally, with "reasonable" being
the keyword that lets the legal system refer to current practice.

(My adaptation of "GCP" is stolen shamelessly from the clinical research
folks, who use it to refer to "good clinical practice",
[https://en.wikipedia.org/wiki/Good_clinical_practice.](https://en.wikipedia.org/wiki/Good_clinical_practice.))

~~~
dragonwriter
> Covered entities must "[protect] against any reasonably anticipated threats
> or hazards to the security or integrity of such [electronic protected health
> information the covered entity creates, receives, maintains, or transmits]"
> (45 C.F.R. § 164.306(a),
> [http://www.law.cornell.edu/cfr/text/45/164.306](http://www.law.cornell.edu/cfr/text/45/164.306)).

But they also have freedom to select the particular security measures to use,
considering: "(i) The size, complexity, and capabilities of the covered
entity. (ii) The covered entity's technical infrastructure, hardware, and
software security capabilities. (iii) The costs of security measures. (iv) The
probability and criticality of potential risks to electronic protected health
information." 45 C.F.R. § 164.306(b)

> HIPAA and similar laws don't codify whatever we think is good computing
> practice today.

No, but that's what implementing regulations _usually_ do. HIPAA regs mostly
_don 't_ include minimum _technical_ standards (most of the security minimum
standards are procedural).

> Congress would have to re-write the law any time GCPs change

Well, sure, if the minimum standards were written into the statute, which is
why they are usually in the much-easier-to-change implementing regulations.
The guidance under the HITECH act in effect did some of this for HIPAA PHI, as
it created minimum standards for PHI to be considered "secured". But,
generally, there's not much there, and its very difficult to make a solid case
that any particular technical practice is necessarily a violation of the HIPAA
Security Rule.

------
danso
Looks like they misled the New York Times:

[http://www.nytimes.com/2015/02/05/business/hackers-
breached-...](http://www.nytimes.com/2015/02/05/business/hackers-breached-
data-of-millions-insurer-says.html)

> _Anthem learned of the hacking last week and called in Mandiant over the
> weekend. The company was not obligated to report the breach for at least
> several more weeks but chose to do so now to show that it was treating the
> matter seriously._

As user jakejohns has pointed out
([https://news.ycombinator.com/item?id=9002003](https://news.ycombinator.com/item?id=9002003)),
the WHOIS points to a creation date for ANTHEMFACTS.com of `2014-12-13` with
GoDaddy.

~~~
jriordan
Could this be any more patronizing and offensive? Look, if you are Anthem
member, or if you were an Anthem member, you've been doxxed... and quite
comprehensively:

 _have obtained personal information from our current and former members such
as their names, birthdays, medical IDs /social security numbers, street
addresses, email addresses and employment information, including income data_

And you were doxxed nearly two months ago. Or maybe not, because Anthem goes
out of its way to _NOT_ tell you when this occurred. If you were affected
here's how they will notify you:

 _We continue working to identify the members who are impacted. We will begin
to mail letters to impacted members in the coming weeks._

So sometime within the next month you will get a snail mail telling you that
you were doxxed... and that letter will probably be extremely vague about the
details, but will be quite heavy on the PR and perhaps even have a nice
picture of Grandpa CEO at the top.

Anthem is not taking this seriously. No matter what they are trying to
communicate with their PR gloss, they seem to care about covering their asses
first and really don't seem to give a hoot about all your personal data that
is out there in the wild.

More like AnthemLies.com...

~~~
mattmanser
That's not what doxxing is. This is a privacy breach. Doxxing is taking an
anonymous user account and turning it in to a real person.

A pertinent example of doxxing is what the FBI did to linking DPR to Ross
Ulbricht due to the mistake he made on a bulletin board.

~~~
feld
Dox -> documents -> publishing personal information, no?

Why does the victim have to be anonymous?

~~~
oddgodd
In modern usage of the term they don't. The term originated in underground
circles where anonymity by all participants was assumed, and where there were
probably legal or criminal revenge consequences for tying a pseudonym to a
real identity.

Kind of like how troll now means 'person who is an asshole on the internet'
instead of 'post designed to rile up and elicit frivolous responses'. The
meaning has changed over time for better or worse.

~~~
feld
I don't know, even Wikipedia seems to agree with me.

[http://en.wikipedia.org/wiki/Doxing](http://en.wikipedia.org/wiki/Doxing)

And didn't the GGers "dox" Randi, Anita, Brianna, etc?

But I'm even more old school because I'd just call it skiptracing instead of
doxing....

~~~
mattmanser
You're ignoring the bits of that article you don't like:

 _Essentially, doxing is revealing and releasing records of an individual,
which were previously private, to the public._

Where's the "reveal" in this hack? They'll use the hacked info privately or
sell it.

~~~
feld
What are you talking about? I never said this was "doxing"; I know there was
no reveal. I was referring to the definition of "doxing" which I felt didn't
fit.

Did you read the comments completely? If Randi, Anita, and Brianna weren't
anonymous but they were "doxed" it seems to me that "doxing" doesn't have to
refer to revealing info of an anonymous person.

------
malandrew
Identity Theft is not a thing. Others have pointed this out in the past here
on HN.

[https://news.ycombinator.com/item?id=7369725](https://news.ycombinator.com/item?id=7369725)

[https://news.ycombinator.com/item?id=6583776](https://news.ycombinator.com/item?id=6583776)

[https://news.ycombinator.com/item?id=7369713](https://news.ycombinator.com/item?id=7369713)

[https://news.ycombinator.com/item?id=3482991](https://news.ycombinator.com/item?id=3482991)

[https://news.ycombinator.com/item?id=6583879](https://news.ycombinator.com/item?id=6583879)

[https://news.ycombinator.com/item?id=3483009](https://news.ycombinator.com/item?id=3483009)

~~~
Potando
Mitch and Webb sketch on identity theft not being a thing
[https://www.youtube.com/watch?v=CS9ptA3Ya9E](https://www.youtube.com/watch?v=CS9ptA3Ya9E)

------
windexh8er
I feel most for those who have young children. If you consider the long term
viability of SSN over the life-span of a person who is under the age of 5
today they'll likely have been exposed to a breach that will contain their dox
a few times over by the time they reach a legal age - that is likely a
conservative estimate given the frequency of these events. SSN is broken and
we're going to see a lot of push back going forward as these people come of
age.

TL;DR If you're a parent, monitor your child's SSN for activity. Especially
considering this is a healthcare breach, nobody is immune.

~~~
k2enemy
We really do need to find a better way of authenticating and identifying
people. SSNs were never meant for this and they clearly don't fill the role
successfully.

I've long been a proponent of the government announcing that they will publish
everyone's SSN 2 years from now. Banks, insurance companies, the govt, etc
have until then to figure better methods.

~~~
kanzure
> We really do need to find a better way of authenticating and identifying
> people

What about not doing that at all? Hear me out. Not relying on "identity" would
cost many orders of magnitude less. And besides, why should I care who you
are-- what does your identity matter to me? And why should anyone else care?

~~~
steego
It sounds like you're putting the bait out so somebody will disagree with you
and then you'll explain the alternative to using identity as a form of
authorization.

Can you save us a long and stupid discussion and simply explain your plan to
practically deploy a better authorization system that will cost many orders of
magnitude less?

------
ipsin
"A very sophisticated external cyber attack" which is a "security
vulnerability"... The more "sophisticated" they claim this "cyber attack" is,
the more I think it's a garden-variety SQL injection fuck-up.

They've done a bad job of protecting their customer's data, and an even worse
job of explaining what actually happened.

~~~
kowsik
+1 on the "sophisticated" == 'SQL injection', though it's all speculation at
this point.

~~~
ipsin
That's really my problem -- that they're leaving their victims to speculate.

It's great that they "made every effort to close the security vulnerability".
How's that going?

They hired Mandiant to "evaluate our systems and identify solutions based on
the evolving landscape." Is "evolving landscape" CEO-speak for "Oh, god, we're
still leaking customer data like a sieve, make it stop!"?

I'm just going to keep speculating, because if Anthem's not going to bother
speaking plainly, I'm just going to assume the worst.

~~~
jimkri
>It's great that they "made every effort to close the security vulnerability".

I love that quote, they try to cover their asses by saying we closed the
vulnerability. My question is why did you wait till it was taken advantage of?

~~~
goykasi
Even better is that they didn't explicit state that they did close the
vulnerability -- simply that they put forth every effort to do so.

~~~
cmcpgh
If we combine the Check Point firewall job posted on the Anthem Inc's website
on 1/30/2015, add in the "discovery" on 1/29/2015, and think about Check
Point's vulnerability to Heartbleed and Shellshock last year, one might also
guess that a VPN stolen-credential compromise (like the major CHS breach last
year) or a generic firewall compromise (via shellshock) are in the running as
possibilities.

------
beeskneecaps
I like the two Anthem job reqs that were very recently added:

2/4/15 (umm, today): [http://www.careers.antheminc.com/jobs/cloud-encryption-
secur...](http://www.careers.antheminc.com/jobs/cloud-encryption-security-
professional-richmond-virginia-job-93911/)

1/30/15: [http://www.careers.antheminc.com/jobs/checkpoint-firewall-
ex...](http://www.careers.antheminc.com/jobs/checkpoint-firewall-expert-
atlanta-georgia-job-99975/)

Could be a coincidence, but I wouldn't be surprised if they were compromised
several days before this press release.

~~~
sprkyco
To add to this a bit searching for 'security' jobs at anthem only reveals 12
jobs which to me seemed rather low.

------
kevinchau
I hate the tone of that letter, has the typical PR tone all over it.

Basically to sum it up: "Your Social Security Number, Name, Birthdate,
Address, and everything else needed to steal your identity is at risk. But
don't worry! Your credit card number is safe."

~~~
jakejohns
The whois[1] records for [http://anthemfacts.com](http://anthemfacts.com) was
registered in December. It took them months to create that PR report and
prepare for damage control. They should have notified victims much earlier.

[1]
[http://whois.icann.org/en/lookup?name=anthemfacts.com](http://whois.icann.org/en/lookup?name=anthemfacts.com)

~~~
valgaze
THAT is some clever detective work!

To give 'em the benefit of the doubt-- perhaps perhaps perhaps they needed
that particular domain in anticipation of some other instance where they
dropped the ball but your conclusion is more compelling.

~~~
thirsteh
They recently changed their name. Could be that they wanted to use the domain
for something else initially.

------
jdp23
Privacy Rights Clearinghouse has a couple of excellent fact sheets on identity
theft

[https://www.privacyrights.org/how-to-deal-security-
breach](https://www.privacyrights.org/how-to-deal-security-breach) covers
situations like this where there's been a security breach - how to order and
monitory credit reports, put in a security freeze (which makes it harder to
open up new credit cards or credit lines in your name), etc.

[https://www.privacyrights.org/content/identity-theft-what-
do...](https://www.privacyrights.org/content/identity-theft-what-do-if-it-
happens-you) covers when you've actually been the victim of an identity theft

~~~
AtmaScout
Those are great links. Thank you very much.

------
gergles
Good job issuing the release in the middle of the night to try to avoid the
PR, too. What a trainwreck. Anthem basically passed out identity theft kits,
and you can even sort by income to go after the rich ones first! (Why does
Anthem know your income? It doesn't seem relevant to offer you health
insurance products.)

~~~
objclxt
> _Why does Anthem know your income? It doesn 't seem relevant to offer you
> health insurance products._

Your income is strongly correlated with your health. The lower your income the
more likely you are to suffer from conditions such as obesity and diabetes,
and the higher your mortality rate will be. Health insurers can use income
figures as one factor when calculating the overall risk of a policy.

~~~
FLUX-YOU
Can you lie to them about it? Do they (or any insurance) actually verify your
income?

~~~
malfist
Yes, but they can use that as grounds to not pay a claim if they find out.

It's not illegal, but it violates the contract you sign with them and lets
them off the hook for paying for things. Mind you, they'll still keep the
money you paid them.

------
jrapdx3
It makes me wonder. For several years the US government, Medicare, and private
insurers have been pushing hard for health care providers to adopt Electronic
Health Record systems. Now in the current phase "interoperability" of EHR
systems is the catchword.

A question to ask is how secure is a large network of EHRs going to be? I
don't know of data showing the frequency or severity of EHR security breaches
but it would be surprising if there were not at least some. In any case, this
kind of info would probably not be made available to the public, even though
it should be.

Anthem's poor job of keeping confidential info private is especially
distressing given the fact that many health insurers are also health care
providers (e.g., hospital systems). Computer systems are very hard to operate
securely, and after what happened, it's hard to trust these corporations will
take the task seriously.

I've been quietly predicting that security of health information is going to
become the Next Big Privacy Issue as the Internet of Medical Records grows
ever larger.

~~~
roel_v
"A question to ask is how secure is a large network of EHRs going to be?"

LOL, everyone 'on the inside' (by that I mean: at least anyone who works on
computers, software or networks professionally) knows the answer to that
question: it's going to be a train wreck. There is not a single person on this
planet who _really_ understands just 1% of the software, hardware and network
infrastructure they/we work on every day; let alone how all of these interact.
Computers, in 2015, are so complex, and our 'engineering' is so shoddy, that
there is no way to safeguard networked data for anyone but the most determined
and resourceful parties (by which I mean organizations of which there are but
a handful in the whole world, and even those can't seem to keep secrets really
secret.) Either way, there is no way at all that a non-IT focused organization
like a healthcare insurer or provider will be able to keep data secure, and
it's only a matter of time before incidents like this will become commonplace.

Consider: I have an in-law who is a partner in a largish practice in my area.
We talked a bit about the business aspects of the practice when she became a
partner because she had to put up with all the management crap all of a sudden
and it was nice for her to vent to people who had similar issues. Anyway,
point being I know a bit about the finance and management of a rather typical
organization like that. These people will in the next 5 years somehow get
access to our, by then, country-wide EHR system. They work on computers they
buy from the local computer shop because the prices 'seem reasonable' and
Jimmy who works there dates the secretary or whatever; so Jimmy (whose
training was in swapping out hard disks and reinstalling Windows) is the one
who 'maintains' their systems, too. Their cash flow is so precarious that some
months they can't pay full wages to the partners. How will an organization
like that ever be able to secure their network? Their 'security' consists of
the cable guy setting a non-default WPA key on their wireless router.

And of course, they're required by the organization that maintains the EHR
system to have 'regular auditing of their systems' to ensure security. Which
consists of a couple of big 4 consultants who interview the management, tick
some boxes on their checklist and make a 50-page CYA report out of that,
without ever having touched a server or network.

I got out of the security game 10 years ago, and it was already scary back
then. Maybe somebody who still works there will feel otherwise, but computer
security (on the blue team) is like FEMA sending two guys with a shovel and a
Walmart plastic bucket to a dike breach. (whereas on the red team it's
shooting fish in a barrel, of course.) We are truly fucked, because too few
people understand the magnitude of the problem and as long as there are no
problems and you don't look too closely at the robustness of things, using
computers is much cheaper than the alternatives.

~~~
pdoconnell
No, you're about right. On the bigger corporate side, security is at least the
big buzzword. The VP- and C-level positions want to be sure that action is
being taken to improve security, but day to day requests to poke holes in the
walls come in. That is not to even mention the huge, ancient systems that are
in the middle of multi-year replacement processes that began before security
was so important. That means at best the replacement will have the security
best practices of the last few years stapled on awkwardly, but more likely
nothing will change given the millions poured in already.

------
imjustsaying
Why were they storing sensitive data of _former_ customers?

It seems like a risk with no benefit, with the only justification being "all
data could be valuable eventually so let's never delete even the personal
sensitive data." Ironically, the data did eventually become valuable - to
someone else.

~~~
kabdib
Proof of coverage can be important.

It used to be common for insurance companies to look carefully at your
coverage record, and if you had any time during which you were not covered,
they'd say stuff like "Oh, that horrible cancer you have? Yeah, we're not
paying for it because it was a 'pre-existing condition' that you got during
that weekend you had between two jobs six years ago." And the law let them do
that.

Health care in the US is . . . the phrase "utterly broken" isn't strong
enough. We need a good fifteen syllable German word for how fantastically
fucked up it is.

Of course I'm trying to explain Anthem hanging onto data. Probably it was
totally selfish ("we can send them spam") or sheer laziness.

~~~
Estragon

      > they'd say stuff like "Oh, that horrible cancer you have?
      > Yeah, we're not paying for it because it was a 'pre-
      > existing condition' that you got during that weekend you 
      > had between two jobs six years ago."
    

Can you give a link to an article about this? I didn't know "pre-existing
condition" worked like that.

~~~
jakejake
The example is a little bit exaggerated, but basically if you have a major
medical problem with huge bills, the insurance companies will look for a ways
to get out of paying. It may not be right or even legal, but the process of
disputing claims is a confusing hassle. I can tell you from personal
experience that it takes a lot of determination to dispute with an insurance
company and I can imagine a lot of people just give up.

This is just a random link describing one scenario -
[http://www.yourwisconsininjurylawyers.com/library/claim-
deni...](http://www.yourwisconsininjurylawyers.com/library/claim-denied-
because-of-a-preexisting-condition.cfm)

------
jamra
I wonder why they needed to store SSNs online. They use SSNs to run a credit
check and identity a person. Why then is it not stored encrypted and over an
air gap? They can use email and phone numbers to recover passwords. This is
absolutely ridiculous.

They said in an email that they would pay for one year of credit protection
for all those that they say were victimized. I don't think that they are
capable or trustworthy enough to state who was victimized. It looks to me that
they are just ignoring their responsibility for this attack. They also stated
that they do not think health records have been compromised. I believe that
they are just trying to avoid HIPAA fees. If so much personal data was stolen,
it is likely that health information was also stolen. Generally, the patient's
personally identifiable information is stored more securely than their actual
health record.

Now I'm off to get credit protection for me, my wife, and my one year old.
Does anyone have any advice on where to begin?

------
anigbrowl
According to the media, even their CEO's records were taken:
[http://www.nytimes.com/2015/02/05/business/hackers-
breached-...](http://www.nytimes.com/2015/02/05/business/hackers-breached-
data-of-millions-insurer-says.html)

~~~
qohen
It's mentioned in the CEO's letter on anthemfacts.com:

 _Anthem’s own associates’ personal information – including my own – was
accessed during this security breach._

~~~
frownie
That's very vicious PR to me. By acknowledging some guys thre were hacked too,
they implicitely say that : "we're in the same boat, anthema and their
customers, we'll fight together". Which, at least for me, is completely wrong.
_They_ fucekd up and they put the customers in the siht.

------
siliconc0w
This is so infuriating. Good luck trying to do anything sensible like freezing
your credit. Each credit bureau competes with the next for making the process
as painful as possible. 500 errors, timeouts, invalid challenge questions,
ambiguous or just broken password requirements. They don't give a fuck -
you're not the customer. The customer is the debt industry that pays them for
your info. Oh and they each charge $10 to freeze your credit but hey you can
mail them a copy of a police report and they might waive it. I gots to shell
out $30 because anthem fucked up assuming I can even get their broken ass web
applications to take my money.

------
chatmasta
Enterprise hacks are sadly becoming more common, and more sadly, it appears
security is abysmal in all cases of large scale hacks. Many attacks of the
past 24 months included simple exploits, social engineering or both. These are
the kind of attacks a small group of rogue individuals can accomplish from
computers anywhere in the world.

If small groups of individual "hackers" are capable of executing high-profile
operations, just imagine the capabilities of nation-state cyberwarfare forces.
The intelligence agencies of large governments employ thousands of
professionals, all at least as qualified as the hackers behind these attacks.
The difference is that government employees (or contractors!!) have no fear of
legal repercussion restraining their operational activities.

When attacks like this move the market, any scrutiny of the attack must
include analysis of market trading in the days following. Who profits from the
drop in Anthem stock price? I imagine the SEC investigates this as part of due
course, but one should consider that nation states are active investors in the
stock market, whether directly or through hedge fund proxies. If a nation
state can hack a large enterprise, and a nation state can trade large volumes
of securities against that enterprise, then it follows that nation states can
profit from cyber warfare.

The next five years are going to be very interesting.

------
Bud
Greeeeeeeeat. Anthem just became my health care provider. This fills me with
confidence.

I'm especially unimpressed by Anthem's failure to hire a good copy editor for
such a vital message, as evidenced by the painfully obvious error at the end
of the penultimate paragraph: "share that information you" should read "share
that information with you".

~~~
jgeorge
My new health care provider as of January 1st!</yay>

------
emeidi
High five to all the CISAs, CISMs, CGEITs, CRISCs and CISSPs at Anthem.

~~~
Slartibreakfast
It's important to remember that many of the security folks at these companies
are actually pretty good. This is more of a C-Suite problem than a security
team problem - security people can't get much done if senior management
doesn't prioritize a good information security program.

------
Elrac
This is a big company, publicly embarrassed by a breach in data security and
worried about their stock price. Now they're in damage control mode.

Call me a cynic, but my intuition says the whole page is a lie. My guess is
the data was simply pilfered and copied to a USB stick by a disgruntled ex-
employee or even a corruptible current one.

------
ebcase
Curious if the HN community has any recommendations for identity-theft
monitoring services?

Each time this happens, the breached company partners with some firm or
another to offer "one free year of identity monitoring" or somesuch. e.g.
ProtectMyID after the Target breach.

Are there better alternatives to ProtectMyID?

~~~
jstalin
Go to any of the three credit reporting agencies and fill out the "fraud
alert" form. That will place a hold on your credit report at all three credit
agencies and anyone applying for credit under your name will be blocked. The
entity that the person is applying for credit with has to contact you using
the contact information you provide to verify that it is indeed you that's
applying for credit.

~~~
yawz
It looks like it's sufficient to do it with one as the alert propagates to the
other two. And it lasts 90 days.

"Ask 1 of the 3 credit reporting companies to put a fraud alert on your credit
report. They must tell the other 2 companies. An initial fraud alert can make
it harder for an identity thief to open more accounts in your name. The alert
lasts 90 days but you can renew it."

[[http://www.consumer.ftc.gov/articles/0275-place-fraud-
alert](http://www.consumer.ftc.gov/articles/0275-place-fraud-alert)]

------
AdmiralAsshat
Boy it sure does fill me with confidence to know that I am hearing about my
personal information having been compromised through a news website rather
than through the incompetent organization that allowed my information to be
leaked in the first place...

~~~
waspleg
When I woke up this morning they had sent me and my spouse an email overnight
with the same letter that's posted on the anthemfacts.com site. Maybe they
don't have your email address?

------
dplarson
For those not aware, Anthem is also the insurance provider for the entire
University of California system
([http://www.ucop.edu/ucship/](http://www.ucop.edu/ucship/)).

~~~
bwheel
It would be responsible of them to alert their current students and alumni of
the breach, because as of now, I don't think they have. At UCB, there is a
medical facility on campus and when you have ship insurance it almost feels as
if your provider is the school itself. Dues are paid as part of tuition and
most services can be rendered on campus, as well as, most questions about your
insurance answered at their front desk. Easy to forget that you're actually a
client of Anthem.

------
kevinchau
While you are waiting for Anthem to drag their feet, here's a year of
AllClearID Pro on behalf of Home Depot:

[https://homedepot.allclearid.com/](https://homedepot.allclearid.com/)

------
e40
What's the HIPAA fine for a breach of this size? Will be be levied?

------
randomname2
Rumours say this has ended up on torrents, any truth to that?

------
Scramblejams
How about if companies holding sensitive data were required to subject
themselves to pen test attacks by properly incentivized third parties? Even if
an attack were not successful the deliverables would quickly tell an
experienced hand whether the attempt had been sufficiently rigorous. And that
would allow for a good audit mechanism.

~~~
JCJoverTCP
you wouldnt happen to be a pen tester, would you?

~~~
Scramblejams
Nope. Sounds fun though.

------
christopheraden
I've been with Anthem since going back to the UC system.

Is there any way to check if I'm affected by the breach? University of
California has not made an official statement regarding the breach whatsoever.

I'm looking for something similar to the way you could enter your email
address and figure out if your Adobe account was hacked.

------
bsimpson
I know my credit card company allows me to set a password to prevent
unauthorized access from someone who might have stolen this kind of data. Is
there a similar system in place to make it harder for an identity thief to
open accounts in my name or do other things that might damage my reputation?

~~~
syshax
You can freeze your credit. I don't claim it to be a comprehensive solution to
a complicated topic like identity theft, but it helps, and is fairly easy and
inexpensive to do.

[http://www.clarkhoward.com/news/clark-howard/personal-
financ...](http://www.clarkhoward.com/news/clark-howard/personal-finance-
credit/credit-freeze-and-thaw-guide/nFbL/)

~~~
bsimpson
I love that companies that I never agreed to have a business relationship with
can charge me to preempt getting fucked by their shitty security.

"Fees for Identity Theft Victims: Free; Non-victims: $10"

If I wait to become a victim, I can save tens of dollars!

------
bibabo
Most companies only focus on perimeter defense and are soft bellies once
opened up or to an internal job #sonylearning

And as long as it is not practice to sue companies and Cxx for negligence when
they do not internally protect the data (no unencrypted data at rest) this
will not change.

------
Spoom
I'm in the process of getting Anthem to pay for my credit monitoring now. If
you're in the same boat of not wanting to wait for a snail mail letter, call
1-877-263-7995 and escalate twice.

~~~
el_benhameen
Did you have any luck with this? I spoke to a few different people and got
stonewalled every time.

~~~
Spoom
They were supposed to call me back and didn't. I ended up just setting a 90
day fraud alert on my credit profile[1] and with ChexSystems[2]. Both are free
for people who believe their identity may be compromised; you don't need a
police report. They also give you a link to get a free credit report. Both may
be renewed after the 90 days expires.

I may still call Anthem back out of principle.

1\. [https://www.alerts.equifax.com/](https://www.alerts.equifax.com/) \-
should automatically propagate to the other two

2\.
[https://www.consumerdebit.com/consumerinfo/us/en/chexsystems...](https://www.consumerdebit.com/consumerinfo/us/en/chexsystems/theftaffidavit/index.htm)

------
kolev
So, to stress out that they are not morons, they call this "sophisticated".
You can safeguard your personal info as much as you want, but these big data
warehouse will always leak it!

------
mparr4
I love the hero image.

Nothing says "state of the art" quite like a highly pixelated image on your
"we got hacked" response letter.

------
feld
I'm just _thrilled_ to recently be downgraded to an Anthem customer.

I miss my old insurance.

~~~
waspleg
They're fantastically better than any other insurance I've had. What they
cover for my family is easily another income every year. What did you have
before?

~~~
nostrademons
Anthem is very schizophrenic about their group vs. individual plans. I was
covered by them under Google's group plan and they were easily the _best_
insurance company I've had. They paid for all sorts of things that other
insurers wouldn't bother for, no questions asked, and were great to deal with.

Then I tried continuing with one of their individual plans after leaving, and
they were easily the _worst_ insurer I've ever dealt with. Things like not
informing me that my PCP (who'd certainly been part of the group plan) was not
part of the individual plan's network, or finding out that the nearest
available PCP who was is 40 miles away (I live in a major metropolitan area
with several million inhabitants). Not being able to change my address through
the website - they have a form up that doesn't work, along with a message
saying "If this form doesn't work, please call ..." Taking hours to get ahold
of a human on the phone. Billing hassles. Sending out "your coverage is ending
in 30 days because of non-payment" notices even though I'd faithfully paid
online on-time. I'm actually quite glad that their terms are "Your policy ends
automatically when you don't pay", because they've made it pretty much
impossible for me to pay them - their online billpay refuses to take my
payment (failing with no error message), which I suspect is because my address
changed, but their website makes it impossible for me to update my address,
calling them takes more time than I'm willing to invest, and I don't have any
trust that if I send them a check it will actually be credited to my account.
I just started a policy with Blue Cross Blue Shield instead, which has been a
joy in comparison, and let Anthem lapse.

If you read the Yelp reviews, they're far worse than my situation - folks
being promised coverage for hospital stays and then denied coverage
afterwards, and multiple lawsuits outstanding against them.

The cynic in me thinks that Anthem is basically unable to continue as an
operating business, and so they're triaging accounts. The big group accounts
like Google get top-of-the-line service, so that they can keep them and
hopefully bring in enough revenue to tide the company over. The individual
accounts - anything that's small enough to (presumably) not have many other
options and unable to sue - get screwed. So if you're in one of those groups,
be thankful; if you're an individual, start looking elsewhere.

~~~
feld
That is an interesting point of view. Thanks!

------
eyeareque
Sophisticated attack == SQLi || "someone opened a PDF with malware" ?

------
cm2187
I can't believe it has been at least a full week since the last announcement
of a massive data breach...

I am concerned that if the industry doesn't fix this, regulation will.

~~~
imjustsaying
Thank you for the idea. I'm going to pass some regulation for my Wordpress
sites so they'll never get hacked again.

~~~
cm2187
The question is not whether it will be efficient but whether it will happen.

It will mean licenses and certifications to have the right to store personal
data, regulations to comply with in term of system architecture with audits
and penalties for breaches. More bureaucracy and processes. You won't create a
website over a week end.

Currently any idiot can create a database and store sensitive information
without even knowing what a SQL injection or a rainbow table is.

Most professions are regulated: architects, doctors, pilots, farmers, bankers,
even restaurants! And each time regulations come as a result of f __k ups:
banks or homes collapsing, conmen selling snake oil, food poisoning, etc. IT
is the only sector where mild amateurism is not only acceptable but rather the
norm more than the exception.

------
kowsik
The security industry/products seriously need a make over. So much money spent
and yet, hacks just keep getting bigger and worse.

[edit]: Disclaimer - I'm CTO at @menlosecurity.

~~~
zobzu
The security products arent great, true, but the ppl working as security
engineers in companies are often quite decent.

It seems to me that its the usual issue. People don't see the need for
protection until they've been hit. It seems to be a cost that doesn't make
sense to them. They don't even care anymore.

Then they get hit hard. But it can take years.

~~~
tw04
I've actually had the exact opposite experience. Security Engineers at most
companies have no idea what they're doing beyond running the scanner and
parroting whatever it spits out.

"The scanner says your server is vulnerable"

"Ya, we patched that vulnerability weeks ago"

"The scanner says it's vulnerable"

"OK.... _looks at scanner_ \- oh, it's just reading the banner, and not taking
into account that the major rev didn't change, it's patched"

"The scanner says it's vulnerable"

"OK... so what if I change the banner so it doesn't pick it up as vulnerable?"

"The scanner says it's secure now, thanks!!"

The guys who know their stuff in security generally have a desire to actually
get paid well, and have time to do legitimate research. They don't really have
a desire to sit in a corporate job dealing with the mountains of bureaucratic
bullshit that goes along with security in a corporation. Do you really want to
be the guy who gets thrown under the bus because you had to disable strong
passwords because the CEO was angry he needed both upper and lower case
letters in his AD password?

~~~
xamuel
>Do you really want to be the guy who gets thrown under the bus because you
had to disable strong passwords because the CEO was angry he needed both upper
and lower case letters in his AD password?

Except those strong password policies don't strengthen security at all,
neither in theory nor practice. Congratulations, the CEO's password is now
"qweRTY" and it's written on a yellow sticky-note on his monitor.

~~~
tw04
A post-it note on his monitor of a secure password (they generally require a
number or special character, as well as being 8 characters long), is actually
better security than an extremely simple password. I can have him lock his
office door... I can't prevent someone from brute forcing the password he's
re-used on every site on the internet.

I literally tell my parents to have a secure password they write on a post-it
note. The odds of someone breaking into their house for their password is
about 1/10000th the odds of someone cracking their simple password on a
website and getting the keys to the kingdom.

------
troymc
My first thought upon reading this headline was, "The health insurers have an
anthem??"

------
elwell
Turned 26 in January. Purchased Anthem medical insurance so I don't get
penalized by Obamacare. Surprised how expensive it is, but bit my tongue and
continue. Anthem gets hacked. My Name + SSN is probably somewhere it shouldn't
be; ugh.

~~~
thirsteh
Are you really trying to say not having health insurance is better than your
info potentially being breached?

~~~
wnoise
At 26, quite possibly.

~~~
thirsteh
Yeah, cause accidents don't happen in your 20s.

~~~
EpicEng
True, but young people use very little coverage (less than they pay for) on
average. They are subsidizing the plans of older people.

