Attackers have invaded a database at Anthem, the US’s second largest health insurer, getting at names, taxpayer IDs, birthdays, medical IDs, street addresses, email addresses, and employment data, including income – a veritable tool kit for identity theft.
It’s being called the largest data breach ever to be disclosed by a healthcare company, with estimates of about 80 million former and current customers and employees being affected.
Anthem Inc. CEO Joseph Swedish confirmed the attack in a public statement, saying there’s been no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted or compromised.
According to the Wall Street Journal, the breach was discovered last week, and investigators are still trying to determine the extent of the incursion.
Anthem said it closed the security vulnerability that led to the exploit as soon as it learned of it.
The company didn’t give details of when the attack occurred nor how long the hackers had access to its systems.
It’s reported the attack to the FBI and has called in multiple security firms to help with forensics and remediation.
Anthem’s CIO, Thomas Miller, told the WSJ that the company reset passwords of all employees with higher-level access to data systems and has blocked all access that involves only one password.
We can only hope that Anthem’s claims about medical data not being involved turn out to be true, because if medical records had been nicked, they likely wouldn’t stay off the black market for long.
The FBI last year warned US healthcare providers that crooks were targeting healthcare data with the intent of using it to make fake medical claims or to purchase drugs or medical equipment that can be sold.
In fact, medical data is reportedly selling at about $10 per record on underground markets – about 10 times more than credit card data.
Anthem said that the breach affects all of its product lines. That includes Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
Anthem, which offers plans in California, New York and other states, said it doesn’t know precisely how many people may be affected. Nor is it clear how the intruders were able to get the credentials needed to get into the database.
The company said that it looks like “tens of millions” of records were affected.
According to its site, Anthem’s affiliated companies service nearly 69 million people, including 37 million who are enrolled in its health plans.
Add to that employees and past employees and customers, and the number grows larger still. In fact, even President and CEO Swedish’s information was compromised, he said in the public statement.
The company said in an FAQ that it’s working on an “extensive” forensic investigation to figure out which members were affected:
We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication.
Anthem says it will individually notify current and former members whose information has been accessed.
It will also provide credit monitoring and identity protection services free of charge “so that those who have been affected can have peace of mind”.
Anthem has set up a dedicated website – www.AnthemFacts.com – where members can get information about the breach.
It’s also set up a dedicated US toll-free number for both current and former members to call if they have related questions: 1-877-263-7995.
How bad is it?
The lack of credit card data in the haul is cold comfort, given that the breached information can be used to carry out identity theft.
Even without medical information or credit card data being involved, security experts are saying that plain old vanilla identity theft will be a nightmare for the affected individuals.
The stolen data potentially can be used to drain bank accounts, or to open new credit, telephone or even utility accounts.
Stay tuned: we’ll update you when more is known about this massive breach.
In the meantime, keep an eye on your financial statements. It will take Anthem some time to determine who’s been affected and to then notify what’s looking to be an enormous number of people.
If I were an Anthem customer or employee, current or former, I’d err on the side of assuming I was in that demographic, and act accordingly.