Full Report
After the Anthem mega-breach, questions abound about possible abuses of medical data. Here is a breakdown that offers some context.
Analysis Summary
# Incident Report: Anthem Mega-Breach Context & Medical Data Risk Assessment
## Executive Summary
This summary contextualizes the Anthem mega-breach, focusing on the implications of stealing medical data versus general identity information. The incident highlighted the varying value and threat profiles associated with different levels of Electronic Health Record (EHR) data, ranging from basic demographic details to sensitive treatment histories, influencing attacker monetization strategies and the potential for medical identity theft or service fraud.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the report is written *on the heels* of the announcement (February 13, 2015 context).
- **Incident Date:** Not explicitly stated.
- **Affected Organization:** Anthem (Medical Insurance Firm).
- **Sector:** Healthcare/Medical Insurance.
- **Geography:** Not explicitly stated, but context implies a large US health entity.
## Timeline of Events
*Note: The article focuses on analyzing the *type* of data breached rather than providing a detailed attack timeline for the specific Anthem incident. The timeline reflects the generalized progression of attacker goals post-breach based on data hierarchy.*
### Initial Access
- **Date/Time:** Not specified in the context provided.
- **Vector:** Not specified, but implied success led to access to patient records.
- **Details:** Data acquisition resulted in access to comprehensive patient identity information (Level 1 and Level 2 data).
### Lateral Movement
- **Details:** The data sprawl across the healthcare ecosystem involving third-party providers suggests potential lateral movement opportunities, where a breach in one provider could leverage elevated trust relationships with others.
### Data Exfiltration/Impact
- **Details:** Attackers gained access to various levels of Electronic Health Records (EHRs):
* **Level 1 (Basic Info):** Name, contact details (OSINT-level). Potential use: Spam targets.
* **Level 2 (Identity Data):** Social Security Number, address, email. Potential use: Identity theft, fake ID creation, tax fraud, answering security challenge questions.
* **Level 3 (Financial/Payment):** Financial or payment data (if present). Potential use: Carding on underground forums.
* **Level 4 (Full Medical History):** Detailed treatment history. Potential use: Targeted fraud where the stolen data matches a buyer seeking specific medical procedures.
### Detection & Response
- **Detection:** The breach was publicly announced, suggesting detection occurred prior to the report date.
- **Response actions taken:** Not specified in the provided context, which focuses on post-breach implications.
## Attack Methodology
*Note: Specific MITRE ATT&CK techniques for the Anthem breach are not detailed in the provided text, but the analysis describes the potential attacker goals based on the compromised data:*
- **Initial Access:** Not specified.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Highly likely, given the compromise included SSNs and identity data used for account pivoting.
- **Discovery:** Likely involved mapping the accessible EHR data tiers (Level 1 through Level 4).
- **Lateral Movement:** Potential implications exist across the health ecosystem due to third-party integrations.
- **Collection:** Harvesting large troves of identity data and specialized medical records.
- **Exfiltration:** Data was likely bundled and sold on different underground markets depending on its sensitivity level.
- **Impact:** Identity theft, tax fraud, financial fraud, and potential for transactional medical fraud.
## Impact Assessment
- **Financial:** Not quantified, but significant illicit earnings potential exists for attackers based on the market value difference between general ID data and specialized medical records.
- **Data Breach:** Comprehensive PII (SSN, name, address, email) and detailed medical/treatment history (Level 4 data).
- **Operational:** The proliferation of third-party providers increases the overall attack surface, complicating security management within the health ecosystem.
- **Reputational:** High, given the sensitive nature of medical records resulting in public scrutiny.
## Indicators of Compromise
*Note: No specific IOCs were provided in the text.*
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Potential phishing, unauthorized access to database backups, and bulk data transfer requests targeting EHR systems.
## Response Actions
*Note: Direct response actions specifically taken by Anthem are not detailed, but the analysis implies necessary technical controls.*
- **Containment measures:** (Implied need) Isolating compromised segments hosting higher-level data.
- **Eradication steps:** (Implied need) Removing attacker footholds, especially concerning third-party integrations.
- **Recovery actions:** (Implied need) Restoring services with enhanced security measures.
## Lessons Learned
- The distinction between general identity data theft and theft of detailed medical records (Level 4) dictates different criminal markets and different types of harm (e.g., identity fraud vs. procedure fraud).
- The increased reliance on a "cohesive health ecosystem" involving third-party providers significantly expands the viable attack surface. A beachhead in one provider might grant elevated trust to others.
- Security must evolve to address endpoints, segmentation, and authentication across this sprawling ecosystem.
## Recommendations
- Implement robust, layered security controls across all connected third-party providers within the health ecosystem.
- Prioritize strong **encryption** for data at rest and in transit, especially for Level 3 and Level 4 data.
- Deploy **sane network segmentation** to prevent easy lateral movement between different functional areas or trusted partners.
- Maintain **vigilant network monitoring** capable of detecting bulk data aggregation behavior.
- Mandate strong **authentication** mechanisms, particularly for remote access or access to high-sensitivity data endpoints.
- Develop and test **reliable disaster recovery** plans specific to EHR availability.