Attackers have invaded a database at Anthem, the US’s second largest health insurer, getting at names, taxpayer IDs, birthdays, medical IDs, street addresses, email addresses, and employment data, including income – a veritable tool kit for identity theft.
It’s being called the largest data breach ever to be disclosed by a healthcare company, with estimates of about 80 million former and current customers and employees being affected.
Anthem Inc. CEO Joseph Swedish confirmed the attack in a public statement, saying there’s been no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted or compromised.
According to the Wall Street Journal, the breach was discovered last week, and investigators are still trying to determine the extent of the incursion.
Anthem said it closed the security vulnerability that led to the exploit as soon as it learned of it.
The company didn’t give details of when the attack occurred nor how long the hackers had access to its systems.
It’s reported the attack to the FBI and has called in multiple security firms to help with forensics and remediation.
Anthem’s CIO, Thomas Miller, told the WSJ that the company reset passwords of all employees with higher-level access to data systems and has blocked all access that involves only one password.
We can only hope that Anthem’s claims about medical data not being involved turn out to be true, because if medical records had been nicked, they likely wouldn’t stay off the black market for long.
The FBI last year warned US healthcare providers that crooks were targeting healthcare data with the intent of using it to make fake medical claims or to purchase drugs or medical equipment that can be sold.
In fact, medical data is reportedly selling at about $10 per record on underground markets – about 10 times more than credit card data.
Anthem said that the breach affects all of its product lines. That includes Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
Anthem, which offers plans in California, New York and other states, said it doesn’t know precisely how many people may be affected. Nor is it clear how the intruders were able to get the credentials needed to get into the database.
The company said that it looks like “tens of millions” of records were affected.
According to its site, Anthem’s affiliated companies service nearly 69 million people, including 37 million who are enrolled in its health plans.
Add to that employees and past employees and customers, and the number grows larger still. In fact, even President and CEO Swedish’s information was compromised, he said in the public statement.
The company said in an FAQ that it’s working on an “extensive” forensic investigation to figure out which members were affected:
We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication.
Anthem says it will individually notify current and former members whose information has been accessed.
It will also provide credit monitoring and identity protection services free of charge “so that those who have been affected can have peace of mind”.
Anthem has set up a dedicated website – www.AnthemFacts.com – where members can get information about the breach.
It’s also set up a dedicated US toll-free number for both current and former members to call if they have related questions: 1-877-263-7995.
How bad is it?
The lack of credit card data in the haul is cold comfort, given that the breached information can be used to carry out identity theft.
Even without medical information or credit card data being involved, security experts are saying that plain old vanilla identity theft will be a nightmare for the affected individuals.
The stolen data potentially can be used to drain bank accounts, or to open new credit, telephone or even utility accounts.
Stay tuned: we’ll update you when more is known about this massive breach.
In the meantime, keep an eye on your financial statements. It will take Anthem some time to determine who’s been affected and to then notify what’s looking to be an enormous number of people.
If I were an Anthem customer or employee, current or former, I’d err on the side of assuming I was in that demographic, and act accordingly.
7 comments on “US health insurer Anthem drained of 80 million records”
I believe the words “stable” “door” and “bolted” would form an excellent summary… 🙁
Let me guess they
A) Downsized their Security Team (aka laid off the experienced ones)
B) Outsourced to a trustworthy but much cheaper foreign partner.
C) Thought “security” was that nice uniformed pensioner on the VIP door.
Is there any incentive to stop this happening for ever and ever?
Seems CIOs just get golden parachutes then golden hellos as they wander along the Old Boy Network from Corporation to Corporation, “saving money on IT” like a demonic wrecking ball.
I think the incentive to stop this, is for all of the victims to wrap their hands around the wallet(s) of these companies. As Charles Colson said, “Grab them by the b***s and their hearts and minds will soon follow.”
You hit it right on the nose. Federal legislation should MANDATE monetary compensation significant enough to wake up these corporate idiots.
Insurance premiums are sky high so should be the penalty for their stupid, lackluster approach to data security. Their response is pure corporate B.S. Let’s see what they actually do.
I actually have to thank Anthem for their lackluster security. Likely having all of my personal information compromised in this breach was the motivational push I needed to finally place a freeze on my credit information. Although the credit bureaus unconscionably charge me $10 apiece for both a freeze and lift (trying to discourage financial responsibility), at least now my not-so-secret SSN can only be used as an identifier, the way it was intended, and not as an authentication mechanism for anyone anxious to grant a crook credit in my good name.
as a former member of anthem, i am not going to wait for notification by them. they don’t have my new address and i believe my forwarding order with the USPS has expired since it’s been over a year since i moved. what is the procedure with the 3 or 4 credit agencies when asking for a “freeze”? do they EACH have to notified individually?
Yes, you need to ask each credit agency individually if you want to place a security freeze in your name. You might be able to do this online. To the best of my knowledge, the current average cost to add or lift a security freeze is around $10-$12.
Hackers “drained” 80 mil records?.. Does it mean Anthem no longer has them?