Millions likely affected by data breach of health insurer

Health insurer Anthem Inc, which has nearly 40 million U.S. customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees.

The Wall Street Journal, which first reported the attack, said the hacked database contained personal information for about 80 million of Anthem’s current and former customers and employees “in what is likely to be the largest data breach disclosed by a health-care company.”

Anthem operates health plans under numerous names, including Anthem Blue Cross and Anthem Blue Cross and Blue Shield. 

The No. 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers. 

The information accessed during the "very sophisticated attack" did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.

The attack follows data breaches compromising data for millions of customers at institutions such as JP Morgan and big-box retailers like Home Depot and Target as well as upscale Neiman-Marcus. 

The FBI had warned last August that healthcare industry companies were being targeted by hackers, publicizing the issue following an attack on U.S. hospital group Community Health Systems Inc. that resulted in the theft of millions of patient records.

Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.

Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.

Anthem said that it immediately made every effort to close the security vulnerability and reported the attack to the FBI.

Joseph R. Swedish, Anthem’s chief executive, said he wanted “to personally apologize” for the security breach in letter posted on the company’s website. He said his own personal information had been accessed and emphasized that the company was “working around the clock to do everything we can to further secure your data.”

Anthem had 37.5 million medical members as of the end of December.

Anthem said it would send a letter and email to everyone whose information was stored in the hacked database. It also set up an informational website, www.anthemfacts.com, and will offer to provide a credit-monitoring service.

Al Jazeera with Reuters