Following up on the Anthem security breach, the Wall Street Journal reports that the confidential data stolen from Anthem’s had not been encrypted. Businesses have reduced the impact of lost and stolen laptop computers by encrypting them. However, server held data usually has not been encrypted. The article explains that

Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers, that person [familiar with the matter] said.

That practice is bound to change. In an interview with Adam Meyer, chief security strategist of threat intelligence consultancy SurfWatch Labs, the Journal further reported

Based on what Anthem has shared publicly about the attack, what do you think happened?

An engineer discovered the incursion when he saw a database query being run using his credentials, which suggests the attackers probed the company’s Web server or other Web services for weaknesses, or gained access through spear phishing, in which they induced employees to click on an emailed link. Upon breaching the system, they likely hunted for administrators’ accounts, giving them access to sensitive information, such as names and Social Security numbers, which are typically hosted in the company’s enterprise resource planning application. From there, they likely queried the database behind the ERP app and began to siphon data to a cloud storage provider. Using trusted accounts to transfer data to trusted storage enabled them to remain undetected. 

The FEHBlog attended an Online Trust Alliance town hall meeting yesterday. He heard Twitter’s postmaster explain that Twitter routine send fake phishing emails to its staff. Any staff member who clicks on the message is “publicly shamed,” whatever that means.  He also head Federal Trade Commissioner Julie Brill speak. She discussed the FTC’s recent staff report called the Internet of Things which concerns the explosion of interconnected devices. Here’s a link.  

Although Anthem had cyber-liability insurance, the Financial Times reports that this massive breach will shake up the market for this insurance. A Lloyd’s representative is recommending that the government bear the risk similar to terrorism insurance.

In a spot of good news, Reuters reports that CMS has agreed to cover low dose CT scans as a means of lung cancer screening for to “Medicare beneficiaries aged 55-77 who are current smokers or who quit within the last 15 years, and who racked up at least 30 “pack years.” The latter is possible if they smoked one pack a day for 30 years, for instance, two packs a day for 15 or three packs a day for a decade.” FEHB plans which have loads of Medicare prime members became obligated to cover this service in-network with no enrollee cost sharing at the beginning of 2015. Under the U.S Preventive Services Task Force’s guidelines applicable to FEHBP plans and other group health plans:

The USPSTF recommends annual screening for lung cancer with low-dose computed tomography in adults ages 55 to 80 years who have a 30 pack-year smoking history and currently smoke or have quit within the past 15 years. Screening should be discontinued once a person has not smoked for 15 years or develops a health problem that substantially limits life expectancy or the ability or willingness to have curative lung surgery.

Absent this CMS action, FEHB plans would have been on the hook for the cost of all of these tests.

Finally, here’s an interesting tidbit from Seeking Alpha about the CVS pharmacy chain which quit selling tobacco products last year:

  • CVS Health (CVS -0.3%) says its pharmacists have counseled over 67K patients about their smoking habits since pulling out of the category last September.
  • Prescriptions for smoke cessation products are up 63% during the period.
  • Sales of nicotine replacement therapy products are up 21%.
  • Shares of CVS are up 22% since the company’s tobacco exit.