Posted on Feb 4, 2015
Health insurer Anthem said hackers infiltrated its computer network and gained access to a host of personal information for customers and employees, including CEO Joseph Swedish.
SAN FRANCISCO —Millions of Anthem health insurance customers woke Thursday morning to an e-mail from the company telling them hackers had gained access to the company's computers and that their names, birthdays, Social Security numbers, addresses and employment data including income might have been stolen.
"Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection free of charge so that those who have been affected can have peace of mind," Anthem President and CEO Joseph Swedish said in the e-mail.
No credit card information was accessed in the attack, the company said.
The breach was first announced late Wednesday. It could affect as many as 80 million current and former customers of the nation's second-largest health insurance company.
"Anthem was the target of a very sophisticated external cyberattack," Swedish said in a statement posted on a website the company created for information about the incident.
Exactly how many people are affected wasn't immediately clear. The database that was infiltrated contained records for 80 million people.
The company is still investigating exactly how many records were actually stolen but, "at this point we believe it was tens of millions," said Cindy Wakefield, an Anthem spokeswoman.
If the entire file was taken it would be "the largest health care breach to date," said Vitor De Souza, a spokesman for Mandiant, the computer security company Anthem has hired to evaluate its systems.
Anthem members should be especially wary of criminals trying to "piggyback" onto the hack by using it to launch social engineering attacks to get their information, said Lee Weiner, a security expert with computer security company Rapid7.
These would most likely be e-mails or phone calls that try to trick worried consumers into sharing confidential information such as financial details.
"Consumers should be suspicious of any unsolicited calls or e-mails — don't click on links, or provide personal information over the phone or e-mail. If you get a call, offer to call back and use your search engine to find the appropriate number. Do likewise for any e-mails," he said.
The e-mail sent to Anthem customers Thursday morning only offers a link to the company's site at www.AnthemFacts.com and a toll-free number to call, 877-263-7995. Customers are not asked to send in any information.
The breach is a wake-up call to the health industry, experts say.
Attacks against the health care industry topped the 2014 breach list compiled by theIdentity Theft Resource Center. Health care companies suffered 42.5% of all data breaches in 2014, continuing a three-year trend, the survey found.
"Many health care companies have been laggards in the security area by focusing purely on check-box compliance and not on protecting customer information," said John Kindervag, an analyst with Forrester Research in New York.
No actual medical information appears to have been stolen, beyond customers' medical identification numbers. However under HIPAA, the 1996 Health Insurance Portability and Accountability Act that governs the confidentiality and security of medical information, all of that is considered protected health information and is covered by the act.
Anthem discovered the breach last week.
"The FBI is aware of the Anthem intrusion and is investigating the matter," said FBI spokesman Joshua Campbell.
Customers whose information has been stolen should report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at www.ic3.gov, Campbell said.
The Anthem data hasn't yet appeared on underground sales sites, said Alexander Heid, chief research officer with Security Scorecard, a computer security company in New York City.
However, "we are seeing requests to purchase it when it becomes available" on those same sites, Heid said.
The datasets that Anthem says were stolen, including name, address, Social Security number, email and income, are especially enticing to thieves. They care called "fullz" in the cyber underground because they contain enough information to create a new line of credit.
"They're more valuable than credit cards nowadays," Heid said. "With a credit card, you use it once, it gets discovered and they shut it off. But there's no expiration number for a Social Security card. So credit can be built and destroyed over and over again."
Anthem Inc. was previously known as WellPoint Inc. It was formed when Anthem Insurance Company bought WellPoint Health Networks in 2004.
The company has customers in 14 states.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.