Hacker News new | past | comments | ask | show | jobs | submit login
Anthem Blue Cross breach notification [pdf] (ca.gov)
180 points by arkadiyt on Dec 2, 2021 | hide | past | favorite | 92 comments



> What are we doing?

> We:

> • Looked into what caused this issue.

> • Are taking steps to reduce the risk of this happening again.

> • Temporarily shut down the portal account

So, they cheap out on security, cause MY PII to be leaked (enough for identity theft) and all they do is shut my own access out?

No details on "Are taking steps to reduce the risk of this happening again" because I bet all they did was shut off this one hole rather than revamp their security.

For the record, this isn't even the first Anthem BC breach: In 2015, they had a breach so large that it has its own Wikipedia page. https://en.wikipedia.org/wiki/Anthem_medical_data_breach

In 2020, Anthem had net income of $4.57 billion. If they are fined at/settled for the same level as the 2015 breach (~$150M), then their incentive is to continue playing fast and loose with data rather than invest in sane security.


Anthem has agreed to pay $115 million to settle a class-action lawsuit following a 2015 data breach that exposed nearly 80 million patient records.

https://www.fiercehealthcare.com/privacy-security/anthem-agr...

f) Attorney Fees and Costs. Plaintiffs will also separately petition for an award of attorneys’ fees and reimbursement of litigation expenses from the Settlement Fund. Plaintiffs will not seek more than 33% of the Settlement Fund ($37,950,000) for attorney fees, which as counsel pledged at the onset of the litigation will amount to considerably less than 1.75 times their reasonable lodestar, already reduced in the exercise of billing judgment. Cervantez Decl. ¶ 18. They will also will not seek more than $3,000,000 in expense reimbursements, and will support their application with detailed lodestar information and an accounting of their expenses. Id. ¶ 19. Defendants have agreed not to oppose Plaintiffs’ application

https://s3.amazonaws.com/assets.fiercemarkets.net/public/004...


> • Are taking steps to reduce the risk of this happening again.

Bob I want you to find me the best(cheapest) security contractor you can find.

Few moments later......Sorry, we had another breach, we had one of the best security experts in the world look over our systems and made appropriate changes. We increased our security budget from $5 to $5.01.

Have you checked out our corporate events? Those are really fun and we really go all out for our employees.


Accenture here, we are prepared to do your bidding.


Sure, this is your data, not theirs.

Source: Equifax 2017.


Time to rename that Wikipedia page, I suppose.


My insurance company. And NICE! they are offering me free credit monitoring. Only I still have free credit monitoring from the OPM breach where the federal government lost all my personal information to what is probably nation-state level hackers.

No consequences, the trend will continue. Consider all of your information compromised, always.


With so many data breaches occurring, we all probably have free credit report monitoring for life.

It's completely ridiculous. There's zero consequences for bad security. All companies need to do is report the breach to the government, buy "credit monitoring" for the victims which costs pennies, and deal with half a day of bad press on Twitter. Meanwhile, consumers have to deal with identity theft consequences, which in a court of law, is nearly impossible to tie back to a specific incident.

Until governments impose serious fines, even to mom and pop businesses scaled up to massive corporations, this will not change.


There’s a requirement that buildings need to have building plans that are personally approved and vouched for by a credentialed Professional Engineer, who takes personal liability—up to and including criminal liability for negligent homicide—if the building collapses and harms people due to a design flaw. I think that’s a good model for this type of problem.


Yes - computer "science" is a joke. I'm certainly not one for rampant regulation, but this is an area that needs to get seriously beefed up.

Especially with the right systems far more people can be harmed than by a building collapse :p


Computer science is a real science and is fine. It is not however engineering. Anyway, the problems lie in the information security industry, which is amateur in comparison.


Yes, corporate IT is basically equivalent to 1800's era factory technology. It works, but there are massive safety issues.


The technology is there. You just have to use it. It does not help however, that the most popular mobile and desktop OSs make money with your data which leads to absymal security practices.


Perhaps it's indeed time for serious companies (these are definitely not MVPs) to have security insurance and they'd mandate some standard.


>identity theft consequences

>Until governments impose serious fines

Or maybe change the language? It's not possible to steal an identity; it's a fiction that is convenient for corporations handling personal information in ways that cost society.


Good IT and engineering staff is a lot more expensive than even a fine for 10% of your annual revenue. Hiring a single good security engineer might cost 400k or more.

Good luck getting your insurance company that pays $100k to senior engineers to do that.


That is definitely a key problem. Why pay for even one security professional when the consequences are just a few grand in credit monitoring for your customers?


I applied for a programming job with an insurance company once and then the first screening test involved interpreting flowcharts, looked like they were photocopied from a 1970s textbook. I decided then and there it wasn't worth it.

>$100k to senior engineers

Could be half that and no technical screening whatsoever.


Most technical operations are outsourced. They even have a separate company in india for obvious cost savings reasons.


Anthem specifically? Maybe, but insurance and other mundane companies in general hire Americans for IT jobs, only in places like Indiana, upstate NY, or the southeastern US. Often working with people who are in, say, New Delhi, but not being replaced by them.

Outsourcing frequently means outsourcing to people in the US who are paid enough less to be a logical option.


Since everybody already has free credit monitoring, it seems like maybe they should be paid cash for breaches in the future.


I bet a lot of people would sign up to pay lower premiums in exchange for not having their data be private. I probably would too depending on how much cheaper.

People already use GoodRx discount cards at pharmacies.


There's was an option to accept $50 in lieu of credit monitoring last time.


A lot of countries have solved this problem. I am a dual US|EU (Croatian) citizen.

On the EU side, we have smart chip national ID cards that are being adopted EU-wide.

In Croatia, you can use those smart chip national ID cards for governmental affairs with a USB smart chip reader (for authentication) on the e-citizens portal.


I need to buy shares in credit monitoring companies. It's the industry of the future!


I’ve worked inside of these companies. It’s not just a money issue. It’s a competency issue. These companies are at least 10+ years behind in everything tech. They still believe in firewall moats. Flat networks. They have PHI spread across dev test and production environments. Upper management views tech as a cost center that never produces. They can’t keep talent around because they refuse to pay market rates. And most of their employees and manager have been around 20 plus years, which they applaud longevity, and anybody who attempts to come in and do something new and secure is derided as a hipster who isn’t into security.

I knew of 5 different ways I could have exfiltrated the entire PHI of every member without them having any knowledge of it and the SecOps manager just ignored it because they were “to busy”. Throw in archaic security requirements passed down from the BCBSA that do nothing to actually improve security but generally make it harder to work and you have a recipe for disaster.


> They can’t keep talent around because they refuse to pay market rates

The former CTO of Blue Shield of California told me back in 2012 (re tech talent):

> “We have the Ds and the Fs of the industry. I mean, who would want to work for a payor (insurance co) in SF?”

(Quoted to the best of my memory… But the first sentence is pretty much verbatim)


Kinda galling to realize that some of the most personal information of millions of people is being guarded by the D's and F's of the industry.. They ever heard of "First, do no harm?"


> Kinda galling to realize that some of the most personal information of millions of people is being guarded by the D's and F's of the industry

I 100% agree.

I also wonder what the solution could be though… Especially for geographies that have lots of more interesting companies to work for.

We could sit here and say “they could pay market rates“ (or even, “they could pay shiploads of cash, benefits, etc”) but, from the little data I gathered from the CTO and others, some of the difficulties are 1. that the problems they have are generally not very interesting because… 2. their risk tolerance is -1000 since 3. innovation & change is seen as - and can pose a very material - risk, and 4. They are a slow and stodgy companies mired in regulations and guided by legal teams* (Also means offering stock/upside underperforms tech companies by a mile)

I’m trying to imagine a scenario where (as a person with plenty of options) I would be interested in joining the health insurance company for longer than a year or two…

Even if they gave me a massive salary, a gorgeous office, a robust team, they would still have massive challenges to give impactful problems to work on without getting mired in internal legal battles and committee reviews.

Having seen several insurers from the inside most of them would need massive internal cultural changes just to hire a handful of A-players and retain them for any reasonable length of time (make that triple true with the pandemic popularizing remote work)*

* A quote from the #3 person at Regence who I worked with: “I love this!” (Re a startup product.) “How do we get it around legal and through procurement?”

Even someone who controlled 1/3 of all revenue made by the business still could be stymied by legal & procurement.

* There is one shining star I could point to… Regence BlueCross BlueShield of the Pacific Northwest. They are owned by a parent company, Cambia, which also has an accelerator, venture arm, and an innovation lab if I remember correctly.

They have solved some of these issues by investing in innovators such as spotlight health to help them solve their business needs. However, I don’t believe (though I have no data) they had a robust internal security team for all the reasons listed above.

(I haven’t had any contact or affiliation with him in about eight years.)


If they actually treated their IT team as valuable staff members and not a cost center, and paid market rates, I'm sure they wouldn't have trouble finding talent.


The point made in other threads is that it's way cheaper to just pay token amounts when security breaches happen, rather than pay market rates. They don't want expensive talent.


For every disclosed HIPAA violation, there are at least 10x the number of violations that go unnoticed and unreported. When you give data to a hospital or clinic, it is being shared in unredacted form with third parties that have signed Business Associate Agreements with the healthcare provider. There is no oversight or concrete regulation that comes with a BAA, there is no "HIPAA inspection" similar to an OSHA or FDA surprise inspection, while the ramifications of leaking your health data have become far more consequential (to the point that you might need to pay into the Experian protection racket when it happens).

Source: I work in the industry.


I have a portal account that my (autofilled!) password wasn't working for.

I contacted the doctor's office, and they sent me back the plaintext password.

That's when I knew.


This is the perfect anecdote. Either you get lucky with a healthcare provider that has signed a BAA with a company where someone happens to know how to use bcrypt for passwords, or you don't - there is really no way to know until you send that password reset email.


i used to work in health care, and the website for a certain medical board stores all of its licensees' passwords in plaintext. i am no longer licensed with that board, but i can't remove any of my data. a breach seems inevitable.


I logged on to a medical practice's portal and was able to access all of the provider's notes from my visits.

I didn't read them or investigate to see whether it was just my own that were available, but I'm pretty sure it was a mistake in setting permissions.

Some time later the whole portal disappeared, except for a bill pay page. Also the provider suddenly quit with no warning; I don't recall the sequencing.

Nobody ever sent me a letter fessing up to anything.


The provider's notes about your visit are part of your medical record, and something that would be very reasonable for you to see (in most cases they are legally required to provide access to your compete record). What would they need to "fess up" about?


>in most cases they are legally required to provide access to your complete record

Yes, I'm aware and I have requested my records in the past. I can even spell HIPAA, unlike a lot of people.

This is irrelevant to my anecdote about the screwed up portal, since I would be aware and have mentioned it if I made such a request, which I did not.

>What would they need to "fess up" about?

Like I said, I didn't investigate to find out the full story, because we all know what happens if you "hack" a broken system.


Yeah, I don't follow this line either. My doctors portal has my providers notes readily available to me without me asking.

Are you sure you aren't just expecting to have to request it, and are being surprised by the fact that you don't?


Yes, I am.

I have a primary care doctor whose portal has the sort of thing you're referring to. That's different.


What's the difference between these two portals that means sharing your records with you is good in one case and bad in the other?


But they were _your_ records. Are you saying they should only be available to you upon request?

I'm not following you to the conclusion that it must be broken because it gave you access to your own records.


>Are you saying they should only be available to you upon request?

No.


Then I'm not following what you think was wrong here...


Free credit monitoring is the biggest scam of all:

- Company doesn't follow security practices and leaks data

- Feds get notified if it's a big enough breach. Btw, this is from the good will of the company

- Data Brokers...erm, Credit Agencies, then monitor for the data...i guess the insurance company sent it to them too, so they know what to look for?

- I don't know who pays for this (originating company, tax payers, etc)

- Credit Agencies now get to monitor you. Watch what you do under the guise of protecting you. While still building your credit score.

- Hopefully the info leaked and being used is accurate. If not, the Credit Agency has no obligation to fix it unless you say so and even then it can take a long time to remedy.

This just seems fucked.


I have a creditor that reported a bogus charge. The source of the charge is an illegal clause in their contract, when I tried to get the charge removed from my credit report, they sent back as proof the final page of the document with my signature (not even the page with the clause in question) and that was apparently enough to validate the debt? So because I had signed _something_ for them, the debt was assumed to be valid. It's now at the point where the only means I have to remove it from my report is to sue them.


The last time I went to urgent care and then to the hospital, they had me sign for things on an electronic pad with no text presented or available.

Ha, now that I think of it, they probably had signs saying no recording and/or turn off your phone, so I may not have even been permitted to record what they said.


Unless such signs carry force of law where you live (I don't know of any such jurisdiction), always record conversations that take place in public settings.


Gym membership renewal?


> Free credit monitoring is the biggest scam of all

The root cause is a clause in Federal law[1] that precludes an individual from holding a creditor or credit bureau liable for inaccurate information regarding that individual. If we were able to sue the creditor and credit bureau because they engaged in libel, then identity theft would no longer be a thing because there would be incentive for banks and other creditors to actually verify the identity of the individual before issuing credit.

[1] https://www.law.cornell.edu/uscode/text/15/1681h (e)


Wow, ok then. Screw the consumer. Too bad their neglect/delays/etc to update information isn't considered malice. People will lose out on homes, cars, be charged more if this false data is a negative on your credit score, while waiting for the kind overlords to make the appropriate changes.


Finally someone who gets it. Credit monitoring/reporting services are a straight up fraudulent scam to get more of your personal information. I feel sorry for the suckers who actually pay for such things.


Some of us do and have for awhile, but no one with power seems to know or care.


Until CEOs start going to jail for this stuff, it's prudent to expect every company you do business with will soon lose all your personal information to a bad guy. If the company makes an especially big deal about "protecting your personal information," expect it to happen even sooner.


I don’t think that’s a good answer. It “feels good” but won’t solve any problem - do you really think security breaches will vanish because we will send the CEO to jail?

I think instead what we need to do is:

A) have “egregious” problem multipliers that stack. Using outdated cryptographic designs? 10x damages multiplier. Using software with known vulnerabilities that was part of the breach? 100x multiplier. Not encrypting data at rest? 1000x multiplier. Etc etc.

B) develop a standard whereby my PII is not allowed to be stored and you only get access to it at time of use (this would also largely solve the problem of the shadow data marketplace).

Even with all that, you could have a security breach where someone has a Trojan spying on all traffic live on the system and stealing that PII once it’s decrypted. So the problem isn’t solvable but maybe these kinds of steps might raise the bar.


Basically, anyone who maintains a database of information needs to be liable for damages due to the disclosure and/or inaccuracy of that information. Trial lawyers will take care of the rest.


The whole point of incorporating is to limit personal liability. This vengeful "put CEOs in jail" attitude flies in the face of law and even common sense, and doesn't address the root of the problem, which is tech-illiteracy in the general population, not evil men in white collars.


And all this would do is make the CEO a sacrificial position. Cheaper to pay someone to go to jail than it is to fix the problem


Incorporation limits liability of the shareholders. Nobody is talking about liability for shareholders.


Anthem had another breach in 2015 [1]. Offered free credit monitoring then as well.

They were sued and settled in 2017 [2].

[1] https://resources.infosecinstitute.com/topic/the-breach-of-a... [2] https://www.businessinsurance.com/article/00010101/NEWS06/91...


Two years' credit monitoring plus, for "people who are already enrolled in credit monitoring...up to $50 per person." That looks like B.S. to me. But were I to play devil's advocate, I'd have to point out that the evidence of actual damage done is slim.


> We have no reason to believe that someone will misuse your information because of what happened.

Uh, why do they think someone would illegally access information? Just for fun?


So the breach involved their portal. I HATE those portals. I wish healthcare providers would just send an email, rather than "you have a new message on our portal". I think (hope?) my email is more secure than these portals..


As I understand it, HIPAA requires that health information is secured in transit and at rest. This is difficult to do over email, since email is not always encrypted in transit, so the general recommendation is to use a portal instead.

There's some additional information here: https://www.securitymetrics.com/static/resources/orange/HIPA...


These patient portals are required by law now, for all medical offices large and small. Part of it is also just shifting work into the portal one is required to have anyways

Source: have worked in a medical office


Technically, your email may have been transmitted in plain text over the open internet. Most email doesn't go through unencrypted connections, but it isn't guaranteed. Email also doesn't do much to establish the authenticity of the sender, at least not as part of its specification.


Yes I wish there was a way to opt out and just rely on phone support. At least with phone support the attackers would have to social engineer things at an individual records level versus just being able to brute force huge bulk data records out.


Most doctors offices are effectively overworked and understaffed small businesses. Shifting all that support to the phone would not be reasonable, from a workload perspective.


Just to expand on that, patients aren't the only ones with a legitimate reason to access that data. Insurance companies need copies as well, so they would still want some kind of mass-data portal even if customers don't use it. If you change doctors, they want copies of your old medical records. If you see a specialist, if you go to the hospital, etc, etc. Pharmacies might call and ask if they think there's something weird about a prescription.

Direct patient contacts are a vanishingly small percentage of records requests for a doctor. Doctors could likely handle those via phone, but it doesn't solve the issue of needing an EMR.


> Up to $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers.

Why is this needed? If my bank erroneously decides to let somebody else transfer funds out of my account, or lets somebody else establish a debt in my name, then that's just a bank error. Is my bank not liable for that?


While the bank may be liable at the end of the day, you very well may have to sue to get them to accept liability, and lawyers cost money. The insurance pays for the lawyers.


Mitchell and Webb did a great riff on this: https://youtu.be/CS9ptA3Ya9E


I find it astonishing that they're allowed to claim

    We have no reason to believe that someone will misuse your information because of what happened
This information would be sufficient to pass identity checks for phone calls at most non-finance companies I've interacted with, including all healthcare providers.


Came here to say the same thing. If the public actually believed this then Anthem would have no reason to provide credit monitoring.


Again?! They had a huge breach a handful of years ago too.

On a somewhat related note: I don't think Aetna is too far behind. Their website is just as awful as Anthem and as a software dev myself, I know that if you don't put care into your consumer-facing products, your security is probably really poor.


> We have no reason to believe that someone will misuse your information because of what happened.

Yeah, ok. They literally sent victims to a DATA BROKER to "protect" them. The very same people who would buy up that leaked data that came the "hack." What fucking world do we live in??

Edit: ...


The fine should be $100 per user and go directly to the user. Some companies would just pay it but most would take this more seriously.


It should double every time.


Did the file move? Am getting file not found for:

https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172....



Can’t wait for the medical device hacks coming soon!

I recently was admitted to an American hospital due to sepsis for an extended period of time, when I was visiting family for a few months (fortunately I am insured in the United States even while abroad).

The hospital required the nurses to administer IV meds in a very peculiar way.

One week into my hospital stay, they started a new programme administering IV meds with code executed from the Electronic Health Record (Epic) to the pump. The pump would start as soon as the barcodes for the IV meds were scanned. The infusion rates were programmed into the electronic health record so the nurses didn’t have to manually program the pump.


I spent a bunch of time in the hospital over the last 2 years, and my hospital did the same switch. The nurses hated it, and they all knew how to override it if it didn't work correctly.


where is the official notification of the breach?


I'm sure many people here have been the victim of repeated security breaches. I feel like all the criminals have my info already. The best I can do from my end is compartmentalize risks by using different email addresses, phone numbers, logins, and passwords everywhere. But it isn't practical to do that either (particularly with phone numbers). We need to solve that problem, and we need to introduce actual fines and jail time for these breaches.


This was a pretty small breach if its the same one reported here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

2023 individuals affected.


I'm not surprised to find out they were breached I was trying to do a SEP around that time and finally gave up because their system was so broken. At least this explains the Apple ID reset requests I was getting in October!


I'm getting a 404 response and this message;

> The requested page "/system/files/ca%20hitech%20dtn%201020172.pdf" could not be found.

EDIT: Now I'm not, and I can load the PDF. Not sure why.


Just quit a job (for other reasons, but that was a yellow flag if not a red one) that had just switched mid-term to Anthem so I'm personally feeling super great about this.


Is there any more info about the scope of the breach? from the PDF metadata I'm wondering if it only affected people on Medi-Cal in certain counties


> What are we doing?

We changed our password from 1234 to OhMFGwerefucked1234


Only 5k impacted, per the HHS


"Anthem Blue Cross is the trade name of Blue Cross of California" is why this is (ca.gov).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: