Health insurance giant Anthem Blue Cross and Blue Shield discloses breach that could affect tens of millions of customers and employees (Update2)
Following the disclosure by Community Health Systems in an SEC filing that they suspected Chinese hackers were responsible for the theft of 4.5 million patients’ information, the FBI sent out a “Flash” warning to alert the the healthcare sector that it was being targeted by hackers. It was the second warning they had issued in a period of a few months. In fact, the number of warnings about attacks on the healthcare sector has been increasing steadily since the February 2014 SANS report.
Now that nightmare has become a reality for one of the nation’s largest health insurers. Anthem Blue Cross and Blue Shield disclosed that hackers gained access to a database containing information on up to 80 million health insurance customers and employees.
The Wall Street Journal reports:
The health insurer said the breach exposed names, birthdays, addresses and Social Security numbers but doesn’t appear to involve medical information or financial details such as credit-card or bank-account numbers, nor are there signs the data are being sold on the black market.
The breach, which was detected last week, is still under investigation, WSJ reports. So far, there’s been no statement as to whether the data in the compromised database were encrypted nor has the firm determined the means by which the hackers gained access. Mandiant, which has investigated other huge breaches such as the Sony Pictures breach, has been retained to investigate this one.
Update 1: Anthem has just posted this notice on their web site:
To Our Members,
Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.
Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.
Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind. We have created a dedicated website – www.AnthemFacts.com – where members can access information such as frequent questions and answers. We have also established a dedicated toll-free number that both current and former members can call if they have questions related to this incident. That number is: 1-877-263-7995. As we learn more, we will continually update this website and share that information you.
I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.
Joseph R. Swedish
President and CEO
Update 2 (Feb. 5): Chad Terhune of the Los Angeles Times has additional details, including confirmation that the data were not encrypted and:
Suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyber attack, the company said. The unauthorized access to the vast database goes back to Dec. 10.