Anthem cyberattack renews calls for info sharing

House Homeland Security Chairman Michael McCaul said Congress needs "to take aggressive action."

Wikimedia image: Michael Thomas McCaul, Sr. (U.S. Representative for Texas's 10th congressional district)

House Homeland Security Chairman Michael McCaul said Congress needs to move cybersecurity information-sharing legislation "as soon as possible."

Anthem Inc., one of the country's biggest health insurers, has been hit by a major cyberattack that could affect millions of its customers and employees. As news of the large-scale hack broke late Feb. 4, it was already having a ripple effect on Capitol Hill, with a top lawmaker calling on Congress to pass information-sharing legislation in response.

Hackers stole personal information from current and former Anthem members, including Social Security numbers, street and email addresses, and income data, the insurer said a statement that described the hack as "very sophisticated." The firm said it had seen no evidence that credit card or medical information was compromised.

The hackers penetrated an Anthem database housing the personal information of 80 million Anthem customers and employees, the Wall Street Journal reported.

In a statement, the FBI said it was investigating the Anthem hack and praised the company’s swift response. 

"Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," said the bureau.

"Rapid notification allows the FBI to quickly deploy our cyber experts to preserve evidence and work with a company's incident responders to help them remediate their networks and rid their systems of harmful malware," the statement said.

Rumblings on the Hill

A key lawmaker quickly took notice of the cyberattack on Anthem.

"This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information," said Texas Republican Michael McCaul, chairman of the House Homeland Security Committee. "I will lead this effort with other committees in the House and Senate to ensure we move forward with greatly needed cybersecurity legislation as soon as possible."

President Barack Obama is reportedly set to announce executive action to encourage the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.

Breach notification proposal 

By any standard, Anthem acted quickly in reporting the breach to customers and the public just days after it occurred. State laws vary widely about when notification should take place, and how much time firms should have before disclosing the theft of personally identifiable information.

The Obama administration recently came out in support of a national data breach standard that includes a requirement to notify customers within 30-days of a breach. The Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held a hearing Feb. 5 to discuss what a national standard might look like and whether federal rules should preempt state regulations in those states which maintain stringent breach notification standards.

"Just this morning we woke up to news of what experts are calling the largest health care breach to date," said Sen. Jerry Moran (R-Kan.), the subcommittee chairman.  He sounded a hopeful note for action on a national standard. "The president's support along with bipartisan and bicameral congressional interest has renewed optimism among stakeholders that congress can develop a balanced and thoughtful approach with legislation in the near term," he said.

No apparent impact on HealthCare.gov

The cyberattack on Anthem put hackers inside a network with connections to government systems including HealthCare.gov and Medicare.gov, where enrollment and payments are processed. A CMS spokesperson told FCW that "while there is no indication at this time that the attack against Anthem has impacted HealthCare.gov or Medicare.gov, we remain vigilant in responding to cybersecurity events."

Ahead of the current open enrollment season, which began in November 2014 and closes Feb. 15, CMS invested in new detection tools, and in its cyber response, as well as adding to its cybersecurity team, a spokesperson said. To date, according to CMS, no personally identifiable information has been accessed or stolen by hackers or others with malicious intent from HealthCare.gov or Medicare.gov.

Outside help

Like Sony Pictures Entertainment after it was hacked last November, Anthem has hired cybersecurity firm Mandiant to help investigate the hack.

Anthem already had a good idea of the data stolen before hiring Mandiant a few days ago, said David Damato, managing director of Mandiant's parent firm FireEye Inc. He said it was unusual for a firm to have that level of forensics detection before an investigation begins.

Mandiant's team is working alongside the FBI, feeding malware and IP addresses to the agents to check against "their intelligence and give us some initial indication on the context," said Damato, who spoke to FCW from Anthem's war room for dealing with the hack, at its Indianapolis headquarters. He said the malware found on Anthem’s network was sophisticated, customized and not publicly available.

Damato said it was too early to say whether, given the sophistication of the malware, a nation-state was behind the hack.

In August, the FBI formally warned the health care industry that hackers were targeting companies for intellectual property and possibly personal information like the kind stolen from Anthem, according to a Reuters report.