Anthem Data Breach - A Message from Coalfire's Healthcare Practice Director

Andrew Hicks, Managing Principal, Coalfire

Several weeks ago I had the opportunity to speak on a panel at a healthcare conference. In attendance were CIOs, CISOs, VPs of IT, and members of legal counsel. The individuals attending the session represented organizations ranging from small- to medium-sized business associates all the way up to large, multi-networked hospitals defined as covered entities under the Health Insurance Portability and Accountability Act (HIPAA).

As is customary at these events, the moderator of the session looked for opportunities to engage the audience. The initial “softball” question that was lobbed to the audience was one we are all too familiar with, “What keeps you up at night?”. While the answers included OCR audits, business associate management, and others; the almost unanimous response was the possibility of a data security breach involving patient information, or formally known as protected health information (PHI).

To further set the tone for this blog post, I was recently asked by a media source what my IT security predictions were for the healthcare industry in 2015. Without hesitation, my response was, “2015 is going to be the year of the MEGA healthcare data breach.” What I didn’t know at the time was how soon that prediction would come true.

As you’ve probably already heard (big news travels fast), the nation’s second largest insurer, Anthem, notified the media of a suspected data breach involving upwards of 80 million individuals. If in fact this breach affects anywhere close to that number of individuals, it will instantly dwarf the nation’s largest healthcare breach ever, which impacted just 4.9 million of TRICARE’s patients back in 2011.

News of the Anthem breach broke on Wednesday, February 5, and the associated threat vector is presumed to be an advance persistent threat (APT), or better explained as a targeted and sophisticated cyber hacking threat aimed at stealing massive amounts of data. This event hits home on a personal note because I was one of the recipients of the mass email from Anthem’s CEO informing me that I may have been one of the affected individuals – not too comforting.

There are several things that we’ve come to know, and in some cases almost brushed aside, since the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009: 

1) PHI records are grossly (up to 50 times) more valuable on the black market than credit card and social security numbers;

2) Attackers have typically targeted large retailers, as seen in 2014 by Target, Neiman Marcus, Sally’s Beauty, and numerous others;

3) There is an unlimited number of threat vectors, threat agents, and vulnerabilities that could culminate into a data security breach; and lastly

4) The Office for Civil Rights (OCR) is actively, albeit delayed and without a big enough stick, auditing covered organizations and handing out million-dollar penalties in the wake of data breaches such as Community Health Systems and New York Presbyterian, both in 2014.

While this message is not an attempt to scare you into compliance, it’s a gentle nudge to remind you that the threats are real, the hackers exist, and the healthcare industry at large is at risk. More importantly, it’s a reminder that the privacy and security of patient information is of utmost concern, as recently addressed by the Obama administration’s $1.09 trillion Department of Health and Human Services budget proposal.

We all know the best way to learn is through the mistakes of others and shared information. And the best defense is a well-planned and executed, ongoing, proactive offense. So, if you have doubts about whether your PHI environment can withstand an attack or an internal incident, now is the time for action. Below is a list of Coalfire’s services that are geared towards increasing the maturity of organizational risk management and cyber security programs.

The value we propose to our customers is not a one-time “audit”, but rather a relationship built on being a trusted advisor. Should you have any questions, please don’t hesitate to reach out to me directly.

Investment/Benefit Analysis Associated with Coalfire’s Services

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS