Anthem Cyberattack Exposes Millions of Health Data
By Chad Terhune and Ryan Parker
Health insurance giant Anthem Inc. said late Wednesday that hackers had breached its computer system and the personal information of tens of millions of customers and employees was possibly at risk.
The attack on the nation's second-largest health insurer could be one of the largest data breaches in the healthcare industry.
"Cyber attackers executed a very sophisticated attack to gain unauthorized access" to one of the company's computer systems and "have obtained personal information relating to consumers and Anthem Blue Cross employees who are currently covered, or who have received coverage in the past," Indianapolis-based Anthem said in a statement.
The data breach extended across all of Anthem's business, possibly affecting customers at large employers, individual policyholders and people enrolled in Medicaid managed-care plans.
Anthem has more than 37 million members in California and 13 other states. But the company warned that it also had information in its database on other Blue Cross Blue Shield patients from all 50 states who had sought care in its coverage area.
Suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyberattack, the company said. The unauthorized access to the vast database goes back to Dec. 10.
Hackers appear to have accessed customers' names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, email addresses and employment information, Anthem said. Some of the customer data may also include details on their income.
At this point, it appears that the data stolen do not include medical information or credit card numbers, according to the company.
Anthem, formerly known as WellPoint, is California's largest for-profit health insurer and the top company by enrollment on the Covered California insurance exchange.
The data breach comes at a crucial time for Anthem. The company is trying to sign up thousands of people in Obamacare coverage before a Feb. 15 deadline as part of the Affordable Care Act. Anthem has more than 700,000 people enrolled in health-law coverage nationwide.
The attack comes on the heels of other big data breaches at Home Depot Inc., Target Corp. and Sony Pictures Entertainment.
The FBI, which is investigating the breach, complimented Anthem's quick response to the hack.
"Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," a statement from the FBI said. "Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible."
The company has established a website, www.anthemfacts.com, where members can access information about the situation.
There is also a dedicated toll-free number that current and former members can call if they have questions related to this incident: (877) 263-7995.
Some Anthem customers received an email notification about the incident late Wednesday from the company's chief executive, Joseph Swedish.
In the email Swedish said he shared consumers' frustration since his own personal information was also hacked.
"Anthem's own associates' personal information -- including my own -- was accessed during this security breach," Swedish wrote. "We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."
Technology experts said the Anthem incident could become one of the largest data breaches ever pending the outcome of the ongoing investigation.
"If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry," said Jaime Blasco, vice president and chief scientist at AlienVault, a San Mateo, Calif., information security firm.
"For individuals, in a few words, it is a nightmare," he said. "If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes."
(c)2015 the Los Angeles Times