Anthem, the nation’s second-largest health insurer, has been hacked, exposing personal information about millions of its employees and customers. It may be one of the largest data breaches yet at a major insurance company, as the company and its affiliates cover one in nine Americans.
Joseph R. Swedish, president and chief executive of the Indianapolis-based company, said in a statement posted on the company’s Web site that “attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, including income data.”
Swedish said Anthem is working to close the “security vulnerability” and has called in the FBI to investigate. And the company has hired Mandiant, a cybersecurity firm, to evaluate the security of its network.
Swedish said the company would individually notify everyone whose information has been accessed and would provide free credit monitoring and identity protection. The company referred customers to a dedicated Web site for further information.
Anthem offers insurance plans in 14 states and has some 69 million customers, the company says. Anthem provided no information on how many people might be affected.
Swedish described it as a “very sophisticated external cyberattack,” but he said that based on what the company knows now, “there is no evidence that credit card or medical information” was compromised.
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” Swedish said. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Depending on how widespread Anthem’s breach was, it might be among one of the larger cyberattacks in recent months. In 2014, retailers Target and Home Depot experienced data breaches that compromised credit card information for up to 110 million customers and 53 million customers, respectively. Major financial institution JPMorgan Chase also announced that it had been hacked and the names, addresses, phone numbers and e-mail addresses for some 76 million household had been compromised.
Anthem said that the breach affected its Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare brands.
The breach also comes at a critical time — just days before the Affordable Care Act’s 2015 enrollment deadline for health insurance plans on Feb. 15.
Large companies are increasingly becoming the targets of massive, sophisticated cyberattacks. According to the Identity Theft Resource Center, which tracks the ones that are publicized, a record number of attacks affecting U.S. entities occurred in 2014.
The health and medical sectors are also increasingly becoming big targets. According to ITRC’s 2014 report, medical and health-care entities accounted for 42.5 percent of reported data breaches.
The effort to defend against them is ongoing and never-ending, but companies must also now devise strategies to quickly identify breaches and notify and reassure customers after a breach occurs.
In a statement, the FBI praised Anthem for moving quickly to identify the breach and notify law enforcement.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” a statement from the FBI said, according to the Los Angeles Times. “Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”
[This post has been updated.]