As many as 80 million customers of the nation’s second-largest health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement.
“Anthem was the target of a very sophisticated external cyber attack,” Anthem president and CEO Joseph Swedish said in a statement posted on a website the company created for information about the incident.
The hackers gained access to Anthem’s computer system and got information including names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data, Swedish said.
The affected database had records for approximately 80 million people in it, “but we are still investigating to determine how many were impacted. At this point we believe it was tens of millions,” said Cindy Wakefield, an Anthem spokeswoman.
That would make it “the largest health care breach to date,” said Vitor De Souza, a spokesman for Mandiant, the computer security company Anthem has hired to evaluate its systems.
Because no actual medical information appears to have been stolen, the breach would not come under HIPAA rules, the 1996 Health Insurance Portability and Accountability Act, which governs the confidentiality and security of medical information.
No credit card information was obtained, the company said in a statement e-mailed to USA TODAY.
The hackers were probably not interested in medical information about Anthem’s customers, said Tim Eades, CEO of computer security firm vArmour in Mountain View, Calif.
“The personally identifiable information they got is a lot more valuable than the fact that I stubbed my toe yesterday and broke it,” he said.
Both current and former customers were hit, Swedish said.
Anthem has established a website, www.anthemfacts.com, where members can access information about the breach. There is also a toll-free number for current and former members to call, 877-263-7995.
“Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join in your concern and frustration and I assure you that we are working around the clock to do everything we can to further secure your data,” Swedish said.
Anthem discovered the breach itself last week. “That is very good news, as two-thirds of the time when we respond, the victim was notified by someone else,” said Vitor De Souza, spokesman for FireEye, which owns Mandiant.
Anthem has contacted the FBI and is working with Mandiant, Swedish said.
“The FBI is aware of the Anthem intrusion and is investigating the matter,” said FBI spokesman Joshua Campbell.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible,” he said.
Customers whose information has been stolen should report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov, Campbell said.
“The Anthem insurance company breach is another in a long line of breaches that continue to have a deep and disheartening effect on consumer behavior and the smooth flow of commerce both here at home and worldwide,” said Rep. Bennie Thompson, D-Miss., ranking member of the Committee on Homeland Security.
Anthem Inc. was previously known as WellPoint Inc. It was formed when Anthem Insurance Company bought WellPoint Health Networks in 2004.
Anthem has customers in 14 states.