These days it seems like there’s a major hacking every week or so. The latest to fall? Anthem Health Insurance, who got hit bad. Really bad. So what’s next?

Photo Credit: MattHurst cc
Photo Credit: MattHurst cc

The good news? Anthem is handling this hack like a champ. As Elle Pyle writes for Of Digital Interest, their transparent and proactive response could signal a change in how companies handle data breaches and protect their customers in the future:

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place.  Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement.  Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout.  He advised that each customer or employee with data at risk was being personally and individually notified.

It’s a strategy that has long been called for, notably by President Obama in a proposal for better cyber security laws, and Anthem’s rapid and detailed response could be a sign that corporate America is listening and adapting their protocol.

The bad news is, there’s a lot of work to be done. Despite their quick response time, Anthem, the second largest health insurance provider in the U.S., is still looking at about 80 million customers who had their information stolen.

While some say that hackers were staging this since December, others fear that it may have started as far back as last April. Reportedly the cyberterrorists had a system administrator’s password and ID, but the information they stole wasn’t even encrypted.  Ricardo Alonso-Zaldivar of AP says it’s all thanks to a lack of legal requirements around the issue:

Insurers aren’t required to encrypt consumers’ data under a 1990s federal law that remains the foundation for health care privacy in the Internet age – an omission that seems striking in light of the major cyberattack against Anthem.

Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish. Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted.

The main federal health privacy law – the Health Insurance Portability and Accountability Act, or HIPAA – encourages encryption, but doesn’t require it.

The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers.

…”In today’s environment, we should expect all health care providers to encrypt their data from end to end,” said [Indiana University law professor Nicolas] Terry, who specializes in health information technology.

The hackers reportedly infiltrated a key database, and took current and former customers’ names, dates of birth, Social Security numbers, phone numbers, email addresses, and more. Though they didn’t get away with any credit card information, medical information is often more valuable to hackers—and more disruptive to customers.

As Anthem continues to sort through the mess and investigate who was affected and how badly, consumers don’t have much they can do— but there are some things they can do. In a post for Data Privacy Monitor about what employers need to know, Theodore J. Kobus III and Lynn Sessions note that there are steps Anthem customers can take to protect themselves now, including ordering a credit report and setting alerts on their accounts. Like David Navetta and Boris Segalis write in a post for Data Protection Report, there’s the concern of aftershocks:

Further, according to initial expert analysis, the incident is likely a “dual-purpose” event, where the key goal of the hackers is to identify individuals and companies as targets for industrial espionage. These secondary attacks, if successful, may raise further notification obligations for companies, including obligations under the SEC requirements for public companies. Anthem’s customers in defense, high tech, pharma, and critical infrastructure industries are advised to take robust steps to prepare for attempts to breach their cybersecurity defenses using the stolen personal information.

No matter what happens, corporations and customers should start questioning their cyber security now. With cloud adoption happening at a higher and higher rate, consumers can no longer afford to just look for the silver lining in cyber security breaches.