Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers.
The health care provider said it is working with security firm Mandiant and the FBI in the investigation. Mandiant specializes in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China.
There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.
According to Brian Krebs' blog, it's possible that both Premera Blue Cross and Anthem attacks could be performed by the same state-sponsored group of hackers.
This new authentication method offered by Yahoo looks awkward, from both user experience and security point of view:
1. User experience – keying in one time password each time I want to log in – is this the solution? Copy/Paste from KeePass is much more convenient.
2. Security – yes, it is single factor, and it is ugly factor because anyone who can either steal or borrow for just 2 minutes your phone now can access your account. Password only is ugly as well, so only combination of two factors provides some reasonable level of protection.
This article is good illustration of the situation with data at rest encryption of PII (Personally identifiable information) and PHI (Protected Health Information) in healthcare industry.
HIPAA -- unlike PCI DSS -- does not require explicitly the data at rest encryption, however, the importance of database encryption should not be overlooked. Although data at rest encryption does not provide an ultimate protection, it is – when implemented correctly – an effective barrier against unauthorized internal/external users and hackers who managed to break in to the network (the possibility of both scenarios should not be ignored). No one wants to be included in HSS’s “hall of shame”.
U.S. Department of Health & Human Services has set up a "hall of shame" - a list of major data breaches in healthcare organizations. Unfortunately, there is not such list for retail breaches, however, there is even more generic list which monitors both retail and healthcare breaches: PRC’s Chronology of Data Breaches.