[HN Gopher] Anthem Blue Cross breach notification [pdf]
___________________________________________________________________
Anthem Blue Cross breach notification [pdf]
Author : arkadiyt
Score : 108 points
Date : 2021-12-02 16:37 UTC (6 hours ago)
(HTM) web link (oag.ca.gov)
(TXT) w3m dump (oag.ca.gov)
| primitivesuave wrote:
| For every disclosed HIPAA violation, there are at least 10x the
| number of violations that go unnoticed and unreported. When you
| give data to a hospital or clinic, it is being shared in
| unredacted form with third parties that have signed Business
| Associate Agreements with the healthcare provider. There is no
| oversight or concrete regulation that comes with a BAA, there is
| no "HIPAA inspection" similar to an OSHA or FDA surprise
| inspection, while the ramifications of leaking your health data
| have become far more consequential (to the point that you might
| need to pay into the Experian protection racket when it happens).
|
| Source: I work in the industry.
| sfink wrote:
| I have a portal account that my (autofilled!) password wasn't
| working for.
|
| I contacted the doctor's office, and they sent me back the
| plaintext password.
|
| That's when I knew.
| primitivesuave wrote:
| This is the perfect anecdote. Either you get lucky with a
| healthcare provider that has signed a BAA with a company
| where someone happens to know how to use bcrypt for
| passwords, or you don't - there is really no way to know
| until you send that password reset email.
| [deleted]
| throwawaysea wrote:
| I'm sure many people here have been the victim of repeated
| security breaches. I feel like all the criminals have my info
| already. The best I can do from my end is compartmentalize risks
| by using different email addresses, phone numbers, logins, and
| passwords everywhere. But it isn't practical to do that either
| (particularly with phone numbers). We need to solve that problem,
| and we need to introduce actual fines and jail time for these
| breaches.
| hereforphone wrote:
| My insurance company. And NICE! they are offering me free credit
| monitoring. Only I still have free credit monitoring from the OPM
| breach where the federal government lost all my personal
| information to what is probably nation-state level hackers.
|
| No consequences, the trend will continue. Consider all of your
| information compromised, always.
| snapetom wrote:
| With so many data breaches occurring, we all probably have free
| credit report monitoring for life.
|
| It's completely ridiculous. There's zero consequences for bad
| security. All companies need to do is report the breach to the
| government, buy "credit monitoring" for the victims which costs
| pennies, and deal with half a day of bad press on Twitter.
| Meanwhile, consumers have to deal with identity theft
| consequences, which in a court of law, is nearly impossible to
| tie back to a specific incident.
|
| Until governments impose serious fines, even to mom and pop
| businesses scaled up to massive corporations, this will not
| change.
| disabled wrote:
| A lot of countries have solved this problem. I am a dual
| US|EU (Croatian) citizen.
|
| On the EU side, we have smart chip national ID cards that are
| being adopted EU-wide.
|
| In Croatia, you can use those smart chip national ID cards
| for governmental affairs with a USB smart chip reader (for
| authentication) on the e-citizens portal.
| kylehotchkiss wrote:
| Since everybody already has free credit monitoring, it seems
| like maybe they should be paid cash for breaches in the
| future.
| lotsofpulp wrote:
| I bet a lot of people would sign up to pay lower premiums
| in exchange for not having their data be private. I
| probably would too depending on how much cheaper.
|
| People already use GoodRx discount cards at pharmacies.
| kingcharles wrote:
| I need to buy shares in credit monitoring companies. It's the
| industry of the future!
| b9a2cab5 wrote:
| Good IT and engineering staff is a lot more expensive than
| even a fine for 10% of your annual revenue. Hiring a single
| good security engineer might cost 400k or more.
|
| Good luck getting your insurance company that pays $100k to
| senior engineers to do that.
| snapetom wrote:
| That is definitely a key problem. Why pay for even one
| security professional when the consequences are just a few
| grand in credit monitoring for your customers?
| philwelch wrote:
| There's a requirement that buildings need to have building
| plans that are personally approved and vouched for by a
| credentialed Professional Engineer, who takes personal
| liability--up to and including criminal liability for
| negligent homicide--if the building collapses and harms
| people due to a design flaw. I think that's a good model for
| this type of problem.
| EricE wrote:
| Yes - computer "science" is a joke. I'm certainly not one
| for rampant regulation, but this is an area that needs to
| get seriously beefed up.
|
| Especially with the right systems far more people can be
| harmed than by a building collapse :p
| hereforphone wrote:
| Computer science is a real science and is fine. It is not
| however engineering. Anyway, the problems lie in the
| information security industry, which is amateur in
| comparison.
| y-c-o-m-b wrote:
| Again?! They had a huge breach a handful of years ago too.
|
| On a somewhat related note: I don't think Aetna is too far
| behind. Their website is just as awful as Anthem and as a
| software dev myself, I know that if you don't put care into your
| consumer-facing products, your security is probably really poor.
| dreamcompiler wrote:
| Until CEOs start going to jail for this stuff, it's prudent to
| expect every company you do business with will soon lose all your
| personal information to a bad guy. If the company makes an
| especially big deal about "protecting your personal information,"
| expect it to happen even sooner.
| brutal_chaos_ wrote:
| Free credit monitoring is the biggest scam of all:
|
| - Company doesn't follow security practices and leaks data
|
| - Feds get notified if it's a big enough breach. Btw, this is
| from the good will of the company
|
| - Data Brokers...erm, Credit Agencies, then monitor for the
| data...i guess the insurance company sent it to them too, so they
| know what to look for?
|
| - I don't know who pays for this (originating company, tax
| payers, etc)
|
| - Credit Agencies now get to monitor you. Watch what you do under
| the guise of protecting you. While still building your credit
| score.
|
| - Hopefully the info leaked and being used is accurate. If not,
| the Credit Agency has no obligation to fix it unless you say so
| and even then it can take a long time to remedy.
|
| This just seems fucked.
| jeffparsons wrote:
| > Up to $1 Million Identity Theft Insurance: Provides coverage
| for certain costs and unauthorized electronic fund transfers.
|
| Why is this needed? If my bank erroneously decides to let
| somebody else transfer funds out of my account, or lets somebody
| else establish a debt in my name, then that's just a bank error.
| Is my bank not liable for that?
| FateOfNations wrote:
| While the bank may be liable at the end of the day, you very
| well may have to sue to get them to accept liability, and
| lawyers cost money. The insurance pays for the lawyers.
| disabled wrote:
| Can't wait for the medical device hacks coming soon!
|
| I recently was admitted to an American hospital due to sepsis for
| an extended period of time, when I was visiting family for a few
| months (fortunately I am insured in the United States even while
| abroad).
|
| The hospital required the nurses to administer IV meds in a very
| peculiar way.
|
| One week into my hospital stay, they started a new programme
| administering IV meds with code executed from the Electronic
| Health Record (Epic) to the pump. The pump would start as soon as
| the barcodes for the IV meds were scanned. The infusion rates
| were programmed into the electronic health record so the nurses
| didn't have to manually program the pump.
| drewg123 wrote:
| So the breach involved their portal. I HATE those portals. I wish
| healthcare providers would just send an email, rather than "you
| have a new message on our portal". I think (hope?) my email is
| more secure than these portals..
| jonas21 wrote:
| As I understand it, HIPAA requires that health information is
| secured in transit and at rest. This is difficult to do over
| email, since email is not always encrypted in transit, so the
| general recommendation is to use a portal instead.
|
| There's some additional information here:
| https://www.securitymetrics.com/static/resources/orange/HIPA...
| somethoughts wrote:
| Yes I wish there was a way to opt out and just rely on phone
| support. At least with phone support the attackers would have
| to social engineer things at an individual records level versus
| just being able to brute force huge bulk data records out.
| JshWright wrote:
| Most doctors offices are effectively overworked and
| understaffed small businesses. Shifting all that support to
| the phone would not be reasonable, from a workload
| perspective.
| Skunkleton wrote:
| Technically, your email may have been transmitted in plain text
| over the open internet. Most email doesn't go through
| unencrypted connections, but it isn't guaranteed. Email also
| doesn't do much to establish the authenticity of the sender, at
| least not as part of its specification.
| Rebelgecko wrote:
| Is there any more info about the scope of the breach? from the
| PDF metadata I'm wondering if it only affected people on Medi-Cal
| in certain counties
| morpheuskafka wrote:
| > We have no reason to believe that someone will misuse your
| information because of what happened.
|
| Uh, why do they think someone would illegally access information?
| Just for fun?
| crankypirate wrote:
| where is the official notification of the breach?
| floatingatoll wrote:
| "Anthem Blue Cross is the trade name of Blue Cross of California"
| is why this is (ca.gov).
| bhaile wrote:
| Anthem had another breach in 2015 [1]. Offered free credit
| monitoring then as well.
|
| They were sued and settled in 2017 [2].
|
| [1] https://resources.infosecinstitute.com/topic/the-breach-
| of-a... [2]
| https://www.businessinsurance.com/article/00010101/NEWS06/91...
| JumpCrisscross wrote:
| Two years' credit monitoring plus, for "people who are already
| enrolled in credit monitoring...up to $50 per person." That
| looks like B.S. to me. But were I to play devil's advocate, I'd
| have to point out that the evidence of actual damage done is
| slim.
| newfonewhodis wrote:
| > What are we doing?
|
| > We:
|
| > * Looked into what caused this issue.
|
| > * Are taking steps to reduce the risk of this happening again.
|
| > * Temporarily shut down the portal account
|
| So, they cheap out on security, cause MY PII to be leaked (enough
| for identity theft) and all they do is shut my own access out?
|
| No details on "Are taking steps to reduce the risk of this
| happening again" because I bet all they did was shut off this one
| hole rather than revamp their security.
|
| For the record, this isn't even the first Anthem BC breach: In
| 2015, they had a breach so large that it has its own Wikipedia
| page. https://en.wikipedia.org/wiki/Anthem_medical_data_breach
|
| In 2020, Anthem had net income of $4.57 billion. If they are
| fined at/settled for the same level as the 2015 breach (~$150M),
| then their incentive is to continue playing fast and loose with
| data rather than invest in sane security.
| adolph wrote:
| _Anthem has agreed to pay $115 million to settle a class-action
| lawsuit following a 2015 data breach that exposed nearly 80
| million patient records._
|
| https://www.fiercehealthcare.com/privacy-security/anthem-agr...
|
| _f) Attorney Fees and Costs. Plaintiffs will also separately
| petition for an award of attorneys' fees and reimbursement of
| litigation expenses from the Settlement Fund. Plaintiffs will
| not seek more than 33% of the Settlement Fund ($37,950,000) for
| attorney fees, which as counsel pledged at the onset of the
| litigation will amount to considerably less than 1.75 times
| their reasonable lodestar, already reduced in the exercise of
| billing judgment. Cervantez Decl. P 18. They will also will not
| seek more than $3,000,000 in expense reimbursements, and will
| support their application with detailed lodestar information
| and an accounting of their expenses. Id. P 19. Defendants have
| agreed not to oppose Plaintiffs' application_
|
| https://s3.amazonaws.com/assets.fiercemarkets.net/public/004...
| avgDev wrote:
| > * Are taking steps to reduce the risk of this happening
| again.
|
| Bob I want you to find me the best(cheapest) security
| contractor you can find.
|
| Few moments later......Sorry, we had another breach, we had one
| of the best security experts in the world look over our systems
| and made appropriate changes. We increased our security budget
| from $5 to $5.01.
|
| Have you checked out our corporate events? Those are really fun
| and we really go all out for our employees.
| ceejayoz wrote:
| Time to rename that Wikipedia page, I suppose.
| sonicanatidae wrote:
| Sure, this is _your_ data, not theirs.
|
| Source: Equifax 2017.
| brutal_chaos_ wrote:
| > We have no reason to believe that someone will misuse your
| information because of what happened.
|
| Yeah, ok. They literally sent victims to a DATA BROKER to
| "protect" them. The very same people who would buy up that leaked
| data that came the "hack." What fucking world do we live in??
|
| Edit: ...
| adrianmonk wrote:
| I'm getting a 404 response and this message;
|
| > _The requested page
| "/system/files/ca%20hitech%20dtn%201020172.pdf" could not be
| found._
|
| EDIT: Now I'm not, and I can load the PDF. Not sure why.
| alx__ wrote:
| Did the file move? Am getting file not found for:
|
| https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172....
| mdaniel wrote:
| https://oag.ca.gov/ecrime/databreach/reports/sb24-547906 is the
| metadata record for it, which links to
| https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172....
|
| I found that via the whole list:
| https://oag.ca.gov/privacy/databreach/list
___________________________________________________________________
(page generated 2021-12-02 23:01 UTC)