💾 Archived View for dioskouroi.xyz › thread › 29418433 captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2021-12-05)

🚧 View Differences

-=-=-=-=-=-=-

Anthem Blue Cross breach notification [pdf]

Author: arkadiyt

Score: 180

Comments: 90

Date: 2021-12-02 16:37:22

Web Link

________________________________________________________________________________

newfonewhodis wrote at 2021-12-02 18:43:12:

What are we doing?
We:
• Looked into what caused this issue.
• Are taking steps to reduce the risk of this happening again.
• Temporarily shut down the portal account

So, they cheap out on security, cause MY PII to be leaked (enough for identity theft) and all they do is shut my own access out?

No details on "Are taking steps to reduce the risk of this happening again" because I bet all they did was shut off this one hole rather than revamp their security.

For the record, this isn't even the first Anthem BC breach: In 2015, they had a breach so large that it has its own Wikipedia page.

https://en.wikipedia.org/wiki/Anthem_medical_data_breach

In 2020, Anthem had net income of $4.57 billion. If they are fined at/settled for the same level as the 2015 breach (~$150M), then their incentive is to continue playing fast and loose with data rather than invest in sane security.

adolph wrote at 2021-12-02 20:35:36:

_Anthem has agreed to pay $115 million to settle a class-action lawsuit following a 2015 data breach that exposed nearly 80 million patient records._

https://www.fiercehealthcare.com/privacy-security/anthem-agr...

_f) Attorney Fees and Costs. Plaintiffs will also separately petition for an

award of attorneys’ fees and reimbursement of litigation expenses from the Settlement Fund.

Plaintiffs will not seek more than 33% of the Settlement Fund ($37,950,000) for attorney fees,

which as counsel pledged at the onset of the litigation will amount to considerably less than 1.75

times their reasonable lodestar, already reduced in the exercise of billing judgment. Cervantez

Decl. ¶ 18. They will also will not seek more than $3,000,000 in expense reimbursements, and

will support their application with detailed lodestar information and an accounting of their

expenses. Id. ¶ 19. Defendants have agreed not to oppose Plaintiffs’ application_

https://s3.amazonaws.com/assets.fiercemarkets.net/public/004...

avgDev wrote at 2021-12-02 20:17:38:

> • Are taking steps to reduce the risk of this happening again.

Bob I want you to find me the best(cheapest) security contractor you can find.

Few moments later......Sorry, we had another breach, we had one of the best security experts in the world look over our systems and made appropriate changes. We increased our security budget from $5 to $5.01.

Have you checked out our corporate events? Those are really fun and we really go all out for our employees.

crate_barre wrote at 2021-12-03 03:22:07:

Accenture here, we are prepared to do your bidding.

sonicanatidae wrote at 2021-12-02 21:38:30:

Sure, this is _your_ data, not theirs.

Source: Equifax 2017.

ceejayoz wrote at 2021-12-02 19:47:08:

Time to rename that Wikipedia page, I suppose.

hereforphone wrote at 2021-12-02 18:16:03:

My insurance company. And NICE! they are offering me free credit monitoring. Only I still have free credit monitoring from the OPM breach where the federal government lost all my personal information to what is probably nation-state level hackers.

No consequences, the trend will continue. Consider all of your information compromised, always.

snapetom wrote at 2021-12-02 19:03:43:

With so many data breaches occurring, we all probably have free credit report monitoring for life.

It's completely ridiculous. There's zero consequences for bad security. All companies need to do is report the breach to the government, buy "credit monitoring" for the victims which costs pennies, and deal with half a day of bad press on Twitter. Meanwhile, consumers have to deal with identity theft consequences, which in a court of law, is nearly impossible to tie back to a specific incident.

Until governments impose serious fines, even to mom and pop businesses scaled up to massive corporations, this will not change.

philwelch wrote at 2021-12-02 20:42:42:

There’s a requirement that buildings need to have building plans that are personally approved and vouched for by a credentialed Professional Engineer, who takes personal liability—up to and including criminal liability for negligent homicide—if the building collapses and harms people due to a design flaw. I think that’s a good model for this type of problem.

EricE wrote at 2021-12-02 22:34:46:

Yes - computer "science" is a joke. I'm certainly not one for rampant regulation, but this is an area that needs to get seriously beefed up.

Especially with the right systems far more people can be harmed than by a building collapse :p

hereforphone wrote at 2021-12-02 22:59:09:

Computer science is a real science and is fine. It is not however engineering. Anyway, the problems lie in the information security industry, which is amateur in comparison.

throwawayboise wrote at 2021-12-03 04:02:52:

Yes, corporate IT is basically equivalent to 1800's era factory technology. It works, but there are massive safety issues.

hulitu wrote at 2021-12-03 13:17:51:

The technology is there. You just have to use it. It does not help however, that the most popular mobile and desktop OSs make money with your data which leads to absymal security practices.

maccolgan wrote at 2021-12-03 06:08:44:

Perhaps it's indeed time for serious companies (these are definitely not MVPs) to have security insurance and they'd mandate some standard.

perl4ever wrote at 2021-12-03 00:40:24:

>identity theft consequences

>Until governments impose serious fines

Or maybe change the language? It's not possible to steal an identity; it's a fiction that is convenient for corporations handling personal information in ways that cost society.

b9a2cab5 wrote at 2021-12-02 19:28:05:

Good IT and engineering staff is a lot more expensive than even a fine for 10% of your annual revenue. Hiring a single good security engineer might cost 400k or more.

Good luck getting your insurance company that pays $100k to senior engineers to do that.

snapetom wrote at 2021-12-02 19:36:03:

That is definitely a key problem. Why pay for even one security professional when the consequences are just a few grand in credit monitoring for your customers?

perl4ever wrote at 2021-12-03 00:59:06:

I applied for a programming job with an insurance company once and then the first screening test involved interpreting flowcharts, looked like they were photocopied from a 1970s textbook. I decided then and there it wasn't worth it.

>$100k to senior engineers

Could be half that and no technical screening whatsoever.

pettycashstash2 wrote at 2021-12-03 11:10:35:

Most technical operations are outsourced. They even have a separate company in india for obvious cost savings reasons.

perl4ever wrote at 2021-12-04 02:23:09:

Anthem specifically? Maybe, but insurance and other mundane companies in general hire Americans for IT jobs, only in places like Indiana, upstate NY, or the southeastern US. Often working with people who are in, say, New Delhi, but not being replaced by them.

Outsourcing frequently means outsourcing to people in the US who are paid enough less to be a logical option.

kylehotchkiss wrote at 2021-12-02 19:08:31:

Since everybody already has free credit monitoring, it seems like maybe they should be paid cash for breaches in the future.

lotsofpulp wrote at 2021-12-02 20:35:47:

I bet a lot of people would sign up to pay lower premiums in exchange for not having their data be private. I probably would too depending on how much cheaper.

People already use GoodRx discount cards at pharmacies.

jlmorton wrote at 2021-12-03 05:18:10:

There's was an option to accept $50 in lieu of credit monitoring last time.

disabled wrote at 2021-12-02 19:58:20:

A lot of countries have solved this problem. I am a dual US|EU (Croatian) citizen.

On the EU side, we have smart chip national ID cards that are being adopted EU-wide.

In Croatia, you can use those smart chip national ID cards for governmental affairs with a USB smart chip reader (for authentication) on the e-citizens portal.

kingcharles wrote at 2021-12-02 20:22:59:

I need to buy shares in credit monitoring companies. It's the industry of the future!

Trisell wrote at 2021-12-03 03:07:28:

I’ve worked inside of these companies. It’s not just a money issue. It’s a competency issue. These companies are at least 10+ years behind in everything tech. They still believe in firewall moats. Flat networks. They have PHI spread across dev test and production environments. Upper management views tech as a cost center that never produces. They can’t keep talent around because they refuse to pay market rates. And most of their employees and manager have been around 20 plus years, which they applaud longevity, and anybody who attempts to come in and do something new and secure is derided as a hipster who isn’t into security.

I knew of 5 different ways I could have exfiltrated the entire PHI of every member without them having any knowledge of it and the SecOps manager just ignored it because they were “to busy”. Throw in archaic security requirements passed down from the BCBSA that do nothing to actually

improve security but generally make it harder to work and you have a recipe for disaster.

MrDunham wrote at 2021-12-03 03:23:44:

> They can’t keep talent around because they refuse to pay market rates

The former CTO of Blue Shield of California told me back in 2012 (re tech talent):

> “We have the Ds and the Fs of the industry. I mean, who would want to work for a payor (insurance co) in SF?”

(Quoted to the best of my memory… But the first sentence is pretty much verbatim)

pizza wrote at 2021-12-03 06:49:10:

Kinda galling to realize that some of the most personal information of millions of people is being guarded by the D's and F's of the industry.. They ever heard of "First, do no harm?"

MrDunham wrote at 2021-12-03 13:24:42:

> Kinda galling to realize that some of the most personal information of millions of people is being guarded by the D's and F's of the industry

I 100% agree.

I also wonder what the solution could be though… Especially for geographies that have lots of more interesting companies to work for.

We could sit here and say “they could pay market rates“ (or even, “they could pay shiploads of cash, benefits, etc”) but, from the little data I gathered from the CTO and others, some of the difficulties are

1. that the problems they have are generally not very interesting because…

2. their risk tolerance is -1000 since

3. innovation & change is seen as - and can pose a very material - risk, and

4. They are a slow and stodgy companies mired in regulations and guided by legal teams* (Also means offering stock/upside underperforms tech companies by a mile)

I’m trying to imagine a scenario where (as a person with plenty of options) I would be interested in joining the health insurance company for longer than a year or two…

Even if they gave me a massive salary, a gorgeous office, a robust team, they would still have massive challenges to give impactful problems to work on without getting mired in internal legal battles and committee reviews.

Having seen several insurers from the inside most of them would need massive internal cultural changes just to hire a handful of A-players and retain them for any reasonable length of time (make that triple true with the pandemic popularizing remote work)*

* A quote from the #3 person at Regence who I worked with: “I love this!” (Re a startup product.) “How do we get it around legal and through procurement?”

Even someone who controlled 1/3 of all revenue made by the business still could be stymied by legal & procurement.

* There is one shining star I could point to… Regence BlueCross BlueShield of the Pacific Northwest. They are owned by a parent company, Cambia, which also has an accelerator, venture arm, and an innovation lab if I remember correctly.

They have solved some of these issues by investing in innovators such as spotlight health to help them solve their business needs. However, I don’t believe (though I have no data) they had a robust internal security team for all the reasons listed above.

(I haven’t had any contact or affiliation with him in about eight years.)

tgsovlerkhgsel wrote at 2021-12-03 04:54:01:

If they actually treated their IT team as valuable staff members and not a cost center, and paid market rates, I'm sure they wouldn't have trouble finding talent.

code_biologist wrote at 2021-12-03 06:46:35:

The point made in other threads is that it's way cheaper to just pay token amounts when security breaches happen, rather than pay market rates. They don't want expensive talent.

primitivesuave wrote at 2021-12-02 21:08:11:

For every disclosed HIPAA violation, there are at least 10x the number of violations that go unnoticed and unreported. When you give data to a hospital or clinic, it is being shared in unredacted form with third parties that have signed Business Associate Agreements with the healthcare provider. There is no oversight or concrete regulation that comes with a BAA, there is no "HIPAA inspection" similar to an OSHA or FDA surprise inspection, while the ramifications of leaking your health data have become far more consequential (to the point that you might need to pay into the Experian protection racket when it happens).

Source: I work in the industry.

sfink wrote at 2021-12-02 21:28:31:

I have a portal account that my (autofilled!) password wasn't working for.

I contacted the doctor's office, and they sent me back the plaintext password.

That's when I knew.

primitivesuave wrote at 2021-12-02 21:47:42:

This is the perfect anecdote. Either you get lucky with a healthcare provider that has signed a BAA with a company where someone happens to know how to use bcrypt for passwords, or you don't - there is really no way to know until you send that password reset email.

bashonly wrote at 2021-12-03 01:12:49:

i used to work in health care, and the website for a certain medical board stores all of its licensees' passwords in plaintext. i am no longer licensed with that board, but i can't remove any of my data. a breach seems inevitable.

perl4ever wrote at 2021-12-03 00:51:34:

I logged on to a medical practice's portal and was able to access all of the provider's notes from my visits.

I didn't read them or investigate to see whether it was just my own that were available, but I'm pretty sure it was a mistake in setting permissions.

Some time later the whole portal disappeared, except for a bill pay page. Also the provider suddenly quit with no warning; I don't recall the sequencing.

Nobody ever sent me a letter fessing up to anything.

JshWright wrote at 2021-12-03 03:11:25:

The provider's notes about your visit are part of your medical record, and something that would be very reasonable for you to see (in most cases they are legally required to provide access to your compete record). What would they need to "fess up" about?

perl4ever wrote at 2021-12-03 04:28:01:

>in most cases they are legally required to provide access to your complete record

Yes, I'm aware and I have requested my records in the past. I can even spell HIPAA, unlike a lot of people.

This is irrelevant to my anecdote about the screwed up portal, since I would be aware and have mentioned it if I made such a request, which I did not.

>What would they need to "fess up" about?

Like I said, I didn't investigate to find out the full story, because we all know what happens if you "hack" a broken system.

notwedtm wrote at 2021-12-03 15:49:33:

Yeah, I don't follow this line either. My doctors portal has my providers notes readily available to me without me asking.

Are you sure you aren't just expecting to have to request it, and are being surprised by the fact that you don't?

perl4ever wrote at 2021-12-03 18:58:58:

Yes, I am.

I have a primary care doctor whose portal has the sort of thing you're referring to. That's different.

JshWright wrote at 2021-12-03 11:58:15:

But they were _your_ records. Are you saying they should only be available to you upon request?

I'm not following you to the conclusion that it must be broken because it gave you access to your own records.

perl4ever wrote at 2021-12-03 19:00:35:

>Are you saying they should only be available to you upon request?

No.

brutal_chaos_ wrote at 2021-12-02 22:51:42:

Free credit monitoring is the biggest scam of all:

- Company doesn't follow security practices and leaks data

- Feds get notified if it's a big enough breach. Btw, this is from the good will of the company

- Data Brokers...erm, Credit Agencies, then monitor for the data...i guess the insurance company sent it to them too, so they know what to look for?

- I don't know who pays for this (originating company, tax payers, etc)

- Credit Agencies now get to monitor you. Watch what you do under the guise of protecting you. While still building your credit score.

- Hopefully the info leaked and being used is accurate. If not, the Credit Agency has no obligation to fix it unless you say so and even then it can take a long time to remedy.

This just seems fucked.

chris37879 wrote at 2021-12-03 00:48:25:

I have a creditor that reported a bogus charge. The source of the charge is an illegal clause in their contract, when I tried to get the charge removed from my credit report, they sent back as proof the final page of the document with my signature (not even the page with the clause in question) and that was apparently enough to validate the debt? So because I had signed _something_ for them, the debt was assumed to be valid. It's now at the point where the only means I have to remove it from my report is to sue them.

perl4ever wrote at 2021-12-03 01:03:28:

The last time I went to urgent care and then to the hospital, they had me sign for things on an electronic pad with no text presented or available.

Ha, now that I think of it, they probably had signs saying no recording and/or turn off your phone, so I may not have even been permitted to record what they _said_.

bigyellow wrote at 2021-12-03 01:18:08:

Unless such signs carry force of law where you live (I don't know of any such jurisdiction), always record conversations that take place in public settings.

throwawayboise wrote at 2021-12-03 04:08:54:

Gym membership renewal?

u801e wrote at 2021-12-03 02:53:19:

> Free credit monitoring is the biggest scam of all

The root cause is a clause in Federal law[1] that precludes an individual from holding a creditor or credit bureau liable for inaccurate information regarding that individual. If we were able to sue the creditor and credit bureau because they engaged in libel, then identity theft would no longer be a thing because there would be incentive for banks and other creditors to actually verify the identity of the individual before issuing credit.

[1]

https://www.law.cornell.edu/uscode/text/15/1681h

(e)

brutal_chaos_ wrote at 2021-12-03 04:09:50:

Wow, ok then. Screw the consumer. Too bad their neglect/delays/etc to update information isn't considered malice. People will lose out on homes, cars, be charged more if this false data is a negative on your credit score, while waiting for the kind overlords to make the appropriate changes.

bigyellow wrote at 2021-12-03 01:16:36:

Finally someone who gets it. Credit monitoring/reporting services are a straight up fraudulent scam to get more of your personal information. I feel sorry for the suckers who actually pay for such things.

brutal_chaos_ wrote at 2021-12-03 01:54:27:

Some of us do and have for awhile, but no one with power seems to know or care.

dreamcompiler wrote at 2021-12-02 21:30:10:

Until CEOs start going to jail for this stuff, it's prudent to expect every company you do business with will soon lose all your personal information to a bad guy. If the company makes an especially big deal about "protecting your personal information," expect it to happen even sooner.

vlovich123 wrote at 2021-12-02 23:42:22:

I don’t think that’s a good answer. It “feels good” but won’t solve any problem - do you really think security breaches will vanish because we will send the CEO to jail?

I think instead what we need to do is:

A) have “egregious” problem multipliers that stack. Using outdated cryptographic designs? 10x damages multiplier. Using software with known vulnerabilities that was part of the breach? 100x multiplier. Not encrypting data at rest? 1000x multiplier. Etc etc.

B) develop a standard whereby my PII is not allowed to be stored and you only get access to it at time of use (this would also largely solve the problem of the shadow data marketplace).

Even with all that, you could have a security breach where someone has a Trojan spying on all traffic live on the system and stealing that PII once it’s decrypted. So the problem isn’t solvable but maybe these kinds of steps might raise the bar.

throwawayboise wrote at 2021-12-03 04:10:33:

Basically, anyone who maintains a database of information needs to be liable for damages due to the disclosure and/or inaccuracy of that information. Trial lawyers will take care of the rest.

bigyellow wrote at 2021-12-03 04:31:33:

The whole point of incorporating is to limit personal liability. This vengeful "put CEOs in jail" attitude flies in the face of law and even common sense, and doesn't address the root of the problem, which is tech-illiteracy in the general population, not evil men in white collars.

unpolloloco wrote at 2021-12-03 17:19:38:

And all this would do is make the CEO a sacrificial position. Cheaper to pay someone to go to jail than it is to fix the problem

torstenvl wrote at 2021-12-03 07:00:48:

Incorporation limits liability of the shareholders. Nobody is talking about liability for shareholders.

bhaile wrote at 2021-12-02 20:08:06:

Anthem had another breach in 2015 [1]. Offered free credit monitoring then as well.

They were sued and settled in 2017 [2].

[1]

https://resources.infosecinstitute.com/topic/the-breach-of-a...

[2]

https://www.businessinsurance.com/article/00010101/NEWS06/91...

JumpCrisscross wrote at 2021-12-02 20:26:40:

Two years' credit monitoring plus, for "people who are already enrolled in credit monitoring...up to $50 per person." That looks like B.S. to me. But were I to play devil's advocate, I'd have to point out that the evidence of actual damage done is slim.

morpheuskafka wrote at 2021-12-02 18:56:10:

We have no reason to believe that someone will misuse your information because of what happened.

Uh, why do they think someone would illegally access information? Just for fun?

drewg123 wrote at 2021-12-02 19:26:43:

So the breach involved their portal. I HATE those portals. I wish healthcare providers would just send an email, rather than "you have a new message on our portal". I think (hope?) my email is more secure than these portals..

jonas21 wrote at 2021-12-02 19:55:50:

As I understand it, HIPAA requires that health information is secured in transit and at rest. This is difficult to do over email, since email is not always encrypted in transit, so the general recommendation is to use a portal instead.

There's some additional information here:

https://www.securitymetrics.com/static/resources/orange/HIPA...

tsol wrote at 2021-12-04 16:56:49:

These patient portals are required by law now, for all medical offices large and small. Part of it is also just shifting work into the portal one is required to have anyways

Source: have worked in a medical office

Skunkleton wrote at 2021-12-02 19:51:29:

Technically, your email may have been transmitted in plain text over the open internet. Most email doesn't go through unencrypted connections, but it isn't guaranteed. Email also doesn't do much to establish the authenticity of the sender, at least not as part of its specification.

somethoughts wrote at 2021-12-02 19:42:14:

Yes I wish there was a way to opt out and just rely on phone support. At least with phone support the attackers would have to social engineer things at an individual records level versus just being able to brute force huge bulk data records out.

JshWright wrote at 2021-12-02 20:41:44:

Most doctors offices are effectively overworked and understaffed small businesses. Shifting all that support to the phone would not be reasonable, from a workload perspective.

curryst wrote at 2021-12-03 15:11:19:

Just to expand on that, patients aren't the only ones with a legitimate reason to access that data. Insurance companies need copies as well, so they would still want some kind of mass-data portal even if customers don't use it. If you change doctors, they want copies of your old medical records. If you see a specialist, if you go to the hospital, etc, etc. Pharmacies might call and ask if they think there's something weird about a prescription.

Direct patient contacts are a vanishingly small percentage of records requests for a doctor. Doctors could likely handle those via phone, but it doesn't solve the issue of needing an EMR.

jeffparsons wrote at 2021-12-02 20:56:46:

Up to $1 Million Identity Theft Insurance: Provides coverage for certain

costs and unauthorized electronic fund transfers.

Why is this needed? If my bank erroneously decides to let somebody else transfer funds out of my account, or lets somebody else establish a debt in my name, then that's just a bank error. Is my bank not liable for that?

FateOfNations wrote at 2021-12-02 21:39:57:

While the bank may be liable at the end of the day, you very well may have to sue to get them to accept liability, and lawyers cost money. The insurance pays for the lawyers.

voganmother42 wrote at 2021-12-03 02:12:20:

Mitchell and Webb did a great riff on this:

https://youtu.be/CS9ptA3Ya9E

tgsovlerkhgsel wrote at 2021-12-03 04:52:22:

I find it astonishing that they're allowed to claim

We have no reason to believe that someone will misuse your information because of what happened

This information would be sufficient to pass identity checks for phone calls at most non-finance companies I've interacted with, including all healthcare providers.

gurchik wrote at 2021-12-03 05:21:57:

Came here to say the same thing. If the public actually believed this then Anthem would have no reason to provide credit monitoring.

brutal_chaos_ wrote at 2021-12-02 22:40:05:

We have no reason to believe that someone will misuse your information because of what happened.

Yeah, ok. They literally sent victims to a DATA BROKER to "protect" them. The very same people who would buy up that leaked data that came the "hack." What fucking world do we live in??

Edit: ...

y-c-o-m-b wrote at 2021-12-02 19:05:10:

Again?! They had a huge breach a handful of years ago too.

On a somewhat related note: I don't think Aetna is too far behind. Their website is just as awful as Anthem and as a software dev myself, I know that if you don't put care into your consumer-facing products, your security is probably really poor.

pcarolan wrote at 2021-12-03 01:17:10:

The fine should be $100 per user and go directly to the user. Some companies would just pay it but most would take this more seriously.

kelseyfrog wrote at 2021-12-03 03:16:41:

It should double every time.

disabled wrote at 2021-12-02 20:57:58:

Can’t wait for the medical device hacks coming soon!

I recently was admitted to an American hospital due to sepsis for an extended period of time, when I was visiting family for a few months (fortunately I am insured in the United States even while abroad).

The hospital required the nurses to administer IV meds in a very peculiar way.

One week into my hospital stay, they started a new programme administering IV meds with code executed from the Electronic Health Record (Epic) to the pump. The pump would start as soon as the barcodes for the IV meds were scanned. The infusion rates were programmed into the electronic health record so the nurses didn’t have to manually program the pump.

dec0dedab0de wrote at 2021-12-02 23:12:37:

I spent a bunch of time in the hospital over the last 2 years, and my hospital did the same switch. The nurses hated it, and they all knew how to override it if it didn't work correctly.

alx__ wrote at 2021-12-02 20:29:28:

Did the file move? Am getting file not found for:

https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172....

mdaniel wrote at 2021-12-02 20:58:09:

https://oag.ca.gov/ecrime/databreach/reports/sb24-547906

is the metadata record for it, which links to

https://oag.ca.gov/system/files/CA%20HITECH%20DTN%201020172....

I found that via the whole list:

https://oag.ca.gov/privacy/databreach/list

throwawaysea wrote at 2021-12-02 22:45:43:

I'm sure many people here have been the victim of repeated security breaches. I feel like all the criminals have my info already. The best I can do from my end is compartmentalize risks by using different email addresses, phone numbers, logins, and passwords everywhere. But it isn't practical to do that either (particularly with phone numbers). We need to solve that problem, and we need to introduce actual fines and jail time for these breaches.

crankypirate wrote at 2021-12-02 18:56:32:

where is the official notification of the breach?

hifriends wrote at 2021-12-03 00:55:07:

This was a pretty small breach if its the same one reported here:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

2023 individuals affected.

dalrympm wrote at 2021-12-02 23:37:41:

I'm not surprised to find out they were breached I was trying to do a SEP around that time and finally gave up because their system was so broken. At least this explains the Apple ID reset requests I was getting in October!

trynewideas wrote at 2021-12-03 00:39:47:

Just quit a job (for other reasons, but that was a yellow flag if not a red one) that had just switched mid-term to Anthem so I'm personally feeling super great about this.

adrianmonk wrote at 2021-12-02 20:29:28:

I'm getting a 404 response and this message;

_The requested page "/system/files/ca%20hitech%20dtn%201020172.pdf" could not be found._

EDIT: Now I'm not, and I can load the PDF. Not sure why.

Rebelgecko wrote at 2021-12-02 19:29:01:

Is there any more info about the scope of the breach? from the PDF metadata I'm wondering if it only affected people on Medi-Cal in certain counties

SMAAART wrote at 2021-12-03 01:22:15:

What are we doing?

We changed our password from 1234 to OhMFGwerefucked1234

afrcnc wrote at 2021-12-03 09:26:31:

Only 5k impacted, per the HHS

floatingatoll wrote at 2021-12-02 18:26:28:

"Anthem Blue Cross is the trade name of Blue Cross of California" is why this is (ca.gov).