[HN Gopher] Anthem Blue Cross breach notification [pdf] ___________________________________________________________________ Anthem Blue Cross breach notification [pdf] Author : arkadiyt Score : 108 points Date : 2021-12-02 16:37 UTC (6 hours ago) (HTM) web link (oag.ca.gov) (TXT) w3m dump (oag.ca.gov) | primitivesuave wrote: | For every disclosed HIPAA violation, there are at least 10x the | number of violations that go unnoticed and unreported. When you | give data to a hospital or clinic, it is being shared in | unredacted form with third parties that have signed Business | Associate Agreements with the healthcare provider. There is no | oversight or concrete regulation that comes with a BAA, there is | no "HIPAA inspection" similar to an OSHA or FDA surprise | inspection, while the ramifications of leaking your health data | have become far more consequential (to the point that you might | need to pay into the Experian protection racket when it happens). | | Source: I work in the industry. | sfink wrote: | I have a portal account that my (autofilled!) password wasn't | working for. | | I contacted the doctor's office, and they sent me back the | plaintext password. | | That's when I knew. | primitivesuave wrote: | This is the perfect anecdote. Either you get lucky with a | healthcare provider that has signed a BAA with a company | where someone happens to know how to use bcrypt for | passwords, or you don't - there is really no way to know | until you send that password reset email. | [deleted] | throwawaysea wrote: | I'm sure many people here have been the victim of repeated | security breaches. I feel like all the criminals have my info | already. The best I can do from my end is compartmentalize risks | by using different email addresses, phone numbers, logins, and | passwords everywhere. But it isn't practical to do that either | (particularly with phone numbers). We need to solve that problem, | and we need to introduce actual fines and jail time for these | breaches. | hereforphone wrote: | My insurance company. And NICE! they are offering me free credit | monitoring. Only I still have free credit monitoring from the OPM | breach where the federal government lost all my personal | information to what is probably nation-state level hackers. | | No consequences, the trend will continue. Consider all of your | information compromised, always. | snapetom wrote: | With so many data breaches occurring, we all probably have free | credit report monitoring for life. | | It's completely ridiculous. There's zero consequences for bad | security. All companies need to do is report the breach to the | government, buy "credit monitoring" for the victims which costs | pennies, and deal with half a day of bad press on Twitter. | Meanwhile, consumers have to deal with identity theft | consequences, which in a court of law, is nearly impossible to | tie back to a specific incident. | | Until governments impose serious fines, even to mom and pop | businesses scaled up to massive corporations, this will not | change. | disabled wrote: | A lot of countries have solved this problem. I am a dual | US|EU (Croatian) citizen. | | On the EU side, we have smart chip national ID cards that are | being adopted EU-wide. | | In Croatia, you can use those smart chip national ID cards | for governmental affairs with a USB smart chip reader (for | authentication) on the e-citizens portal. | kylehotchkiss wrote: | Since everybody already has free credit monitoring, it seems | like maybe they should be paid cash for breaches in the | future. | lotsofpulp wrote: | I bet a lot of people would sign up to pay lower premiums | in exchange for not having their data be private. I | probably would too depending on how much cheaper. | | People already use GoodRx discount cards at pharmacies. | kingcharles wrote: | I need to buy shares in credit monitoring companies. It's the | industry of the future! | b9a2cab5 wrote: | Good IT and engineering staff is a lot more expensive than | even a fine for 10% of your annual revenue. Hiring a single | good security engineer might cost 400k or more. | | Good luck getting your insurance company that pays $100k to | senior engineers to do that. | snapetom wrote: | That is definitely a key problem. Why pay for even one | security professional when the consequences are just a few | grand in credit monitoring for your customers? | philwelch wrote: | There's a requirement that buildings need to have building | plans that are personally approved and vouched for by a | credentialed Professional Engineer, who takes personal | liability--up to and including criminal liability for | negligent homicide--if the building collapses and harms | people due to a design flaw. I think that's a good model for | this type of problem. | EricE wrote: | Yes - computer "science" is a joke. I'm certainly not one | for rampant regulation, but this is an area that needs to | get seriously beefed up. | | Especially with the right systems far more people can be | harmed than by a building collapse :p | hereforphone wrote: | Computer science is a real science and is fine. It is not | however engineering. Anyway, the problems lie in the | information security industry, which is amateur in | comparison. | y-c-o-m-b wrote: | Again?! They had a huge breach a handful of years ago too. | | On a somewhat related note: I don't think Aetna is too far | behind. Their website is just as awful as Anthem and as a | software dev myself, I know that if you don't put care into your | consumer-facing products, your security is probably really poor. | dreamcompiler wrote: | Until CEOs start going to jail for this stuff, it's prudent to | expect every company you do business with will soon lose all your | personal information to a bad guy. If the company makes an | especially big deal about "protecting your personal information," | expect it to happen even sooner. | brutal_chaos_ wrote: | Free credit monitoring is the biggest scam of all: | | - Company doesn't follow security practices and leaks data | | - Feds get notified if it's a big enough breach. Btw, this is | from the good will of the company | | - Data Brokers...erm, Credit Agencies, then monitor for the | data...i guess the insurance company sent it to them too, so they | know what to look for? | | - I don't know who pays for this (originating company, tax | payers, etc) | | - Credit Agencies now get to monitor you. Watch what you do under | the guise of protecting you. While still building your credit | score. | | - Hopefully the info leaked and being used is accurate. If not, | the Credit Agency has no obligation to fix it unless you say so | and even then it can take a long time to remedy. | | This just seems fucked. | jeffparsons wrote: | > Up to $1 Million Identity Theft Insurance: Provides coverage | for certain costs and unauthorized electronic fund transfers. | | Why is this needed? If my bank erroneously decides to let | somebody else transfer funds out of my account, or lets somebody | else establish a debt in my name, then that's just a bank error. | Is my bank not liable for that? | FateOfNations wrote: | While the bank may be liable at the end of the day, you very | well may have to sue to get them to accept liability, and | lawyers cost money. The insurance pays for the lawyers. | disabled wrote: | Can't wait for the medical device hacks coming soon! | | I recently was admitted to an American hospital due to sepsis for | an extended period of time, when I was visiting family for a few | months (fortunately I am insured in the United States even while | abroad). | | The hospital required the nurses to administer IV meds in a very | peculiar way. | | One week into my hospital stay, they started a new programme | administering IV meds with code executed from the Electronic | Health Record (Epic) to the pump. The pump would start as soon as | the barcodes for the IV meds were scanned. The infusion rates | were programmed into the electronic health record so the nurses | didn't have to manually program the pump. | drewg123 wrote: | So the breach involved their portal. I HATE those portals. I wish | healthcare providers would just send an email, rather than "you | have a new message on our portal". I think (hope?) my email is | more secure than these portals.. | jonas21 wrote: | As I understand it, HIPAA requires that health information is | secured in transit and at rest. This is difficult to do over | email, since email is not always encrypted in transit, so the | general recommendation is to use a portal instead. | | There's some additional information here: | https://www.securitymetrics.com/static/resources/orange/HIPA... | somethoughts wrote: | Yes I wish there was a way to opt out and just rely on phone | support. At least with phone support the attackers would have | to social engineer things at an individual records level versus | just being able to brute force huge bulk data records out. | JshWright wrote: | Most doctors offices are effectively overworked and | understaffed small businesses. Shifting all that support to | the phone would not be reasonable, from a workload | perspective. | Skunkleton wrote: | Technically, your email may have been transmitted in plain text | over the open internet. Most email doesn't go through | unencrypted connections, but it isn't guaranteed. Email also | doesn't do much to establish the authenticity of the sender, at | least not as part of its specification. | Rebelgecko wrote: | Is there any more info about the scope of the breach? from the | PDF metadata I'm wondering if it only affected people on Medi-Cal | in certain counties | morpheuskafka wrote: | > We have no reason to believe that someone will misuse your | information because of what happened. | | Uh, why do they think someone would illegally access information? | Just for fun? | crankypirate wrote: | where is the official notification of the breach? | floatingatoll wrote: | "Anthem Blue Cross is the trade name of Blue Cross of California" | is why this is (ca.gov). | bhaile wrote: | Anthem had another breach in 2015 [1]. Offered free credit | monitoring then as well. | | They were sued and settled in 2017 [2]. | | [1] https://resources.infosecinstitute.com/topic/the-breach- | of-a... [2] | https://www.businessinsurance.com/article/00010101/NEWS06/91... | JumpCrisscross wrote: | Two years' credit monitoring plus, for "people who are already | enrolled in credit monitoring...up to $50 per person." That | looks like B.S. to me. But were I to play devil's advocate, I'd | have to point out that the evidence of actual damage done is | slim. | newfonewhodis wrote: | > What are we doing? | | > We: | | > * Looked into what caused this issue. | | > * Are taking steps to reduce the risk of this happening again. | | > * Temporarily shut down the portal account | | So, they cheap out on security, cause MY PII to be leaked (enough | for identity theft) and all they do is shut my own access out? | | No details on "Are taking steps to reduce the risk of this | happening again" because I bet all they did was shut off this one | hole rather than revamp their security. | | For the record, this isn't even the first Anthem BC breach: In | 2015, they had a breach so large that it has its own Wikipedia | page. https://en.wikipedia.org/wiki/Anthem_medical_data_breach | | In 2020, Anthem had net income of $4.57 billion. If they are | fined at/settled for the same level as the 2015 breach (~$150M), | then their incentive is to continue playing fast and loose with | data rather than invest in sane security. | adolph wrote: | _Anthem has agreed to pay $115 million to settle a class-action | lawsuit following a 2015 data breach that exposed nearly 80 | million patient records._ | | https://www.fiercehealthcare.com/privacy-security/anthem-agr... | | _f) Attorney Fees and Costs. Plaintiffs will also separately | petition for an award of attorneys' fees and reimbursement of | litigation expenses from the Settlement Fund. Plaintiffs will | not seek more than 33% of the Settlement Fund ($37,950,000) for | attorney fees, which as counsel pledged at the onset of the | litigation will amount to considerably less than 1.75 times | their reasonable lodestar, already reduced in the exercise of | billing judgment. Cervantez Decl. P 18. They will also will not | seek more than $3,000,000 in expense reimbursements, and will | support their application with detailed lodestar information | and an accounting of their expenses. Id. P 19. Defendants have | agreed not to oppose Plaintiffs' application_ | | https://s3.amazonaws.com/assets.fiercemarkets.net/public/004... | avgDev wrote: | > * Are taking steps to reduce the risk of this happening | again. | | Bob I want you to find me the best(cheapest) security | contractor you can find. | | Few moments later......Sorry, we had another breach, we had one | of the best security experts in the world look over our systems | and made appropriate changes. We increased our security budget | from $5 to $5.01. | | Have you checked out our corporate events? Those are really fun | and we really go all out for our employees. | ceejayoz wrote: | Time to rename that Wikipedia page, I suppose. | sonicanatidae wrote: | Sure, this is _your_ data, not theirs. | | Source: Equifax 2017. | brutal_chaos_ wrote: | > We have no reason to believe that someone will misuse your | information because of what happened. | | Yeah, ok. They literally sent victims to a DATA BROKER to | "protect" them. The very same people who would buy up that leaked | data that came the "hack." What fucking world do we live in?? | | Edit: ... | adrianmonk wrote: | I'm getting a 404 response and this message; | | > _The requested page | "/system/files/ca%20hitech%20dtn%201020172.pdf" could not be | found._ | | EDIT: Now I'm not, and I can load the PDF. Not sure why. | alx__ wrote: | Did the file move? Am getting file not found for: | | https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172.... | mdaniel wrote: | https://oag.ca.gov/ecrime/databreach/reports/sb24-547906 is the | metadata record for it, which links to | https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172.... | | I found that via the whole list: | https://oag.ca.gov/privacy/databreach/list ___________________________________________________________________ (page generated 2021-12-02 23:01 UTC)