Cyberattack Affects up to 80M Anthem Customers, Employees
February 5, 2015 in News
On Wednesday, health insurer Anthem announced that hackers had accessed a database containing the personal information of about 80 million of its customers, former customers and employees, the San Jose Mercury News reports (Nelson, San Jose Mercury News, 2/5).
Anthem spokesperson Cindy Wakefield said that the company was “still investigating to determine how many were impacted” but that “[a]t this point we believe it was tens of millions” (Weise, USA Today, 2/5).
The company does not yet know the source of the cyberattack (Rubenfire, Modern Healthcare, 2/4).
The cyberattack could be the largest ever reported by a health care company and one of the largest breaches of customers’ personal information, according to the New York Times (Abelson/Goldstein, New York Times, 2/5). The largest previously known data breach attributable to a cyberattack occurred last year, when Community Health Systems announced that an external group of hackers stole the non-medical data of 4.5 million patients (Modern Healthcare, 2/4).
Anthem Breach Details
Anthem, the second largest insurer in the U.S., first detected suspicious activity on Jan. 27. On Jan. 29, an internal investigation confirmed that the company database had been hacked, with the unauthorized access dating back to Dec. 10, 2014.
The company said the breach affected all of its product lines, potentially exposing the data of members in its affiliated health plans, as well as beneficiaries enrolled in Medicaid managed care plans (Terhune/Parker, Los Angeles Times, 2/4).
Anthem CIO Thomas Miller said investigators determined the data to be at an external Web-storage service. The data were then frozen there, but Miller said it was unclear if the hackers previously were able to move the data to a separate location (Wilde Mathews/Yadron, Wall Street Journal, 2/4).
According to Anthem, compromised data could include:
- Dates of birth;
- E-mail addresses;
- Employment information;
- Income data;
- Medical IDs;
- Names; and
- Social Security numbers.
However, the company does not believe that consumers’ or employees’ credit card information or medical information, such as test results or claims, were “targeted or compromised,” according to a statement by Anthem CEO Joseph Swedish (Modern Healthcare, 2/4). Anthem also does not believe the hackers took physician or hospital data (New York Times, 2/5).
Anthem and the FBI are cooperating on an investigation into the attack. An FBI spokesperson said the agency is “aware of the Anthem intrusion and is investigating the matter” and commended the company for its “initial response in promptly notifying the FBI after observing suspicious network activity” (Wall Street Journal, 2/4).
Anthem also has:
- Created a toll-free number and website to respond to questions (New York Times, 2/5);
- Hired cybersecurity firm Mandiant to analyze the vulnerabilities in its systems (Modern Healthcare, 2/4);
- Halted all access to its data systems that involve only a single password; and
- Reset passwords for all its employees that have higher-level access to its data systems (Wall Street Journal, 2/4).
The insurer also intends to notify all potentially affected individuals and provide them with no-cost identity protection and credit monitoring services.
In a letter to Anthem’s customers, Swedish wrote, “I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem” (Modern Healthcare, 2/4).
He added, “Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data” (Los Angeles Times, 2/4).