Anthem Inc., the country’s second-biggest health
insurer, said hackers broke into a database containing personal information for
about 80 million of its customers and employees in what is likely to be the
largest data breach disclosed by a health-care company. Investigators are still
determining the extent of the incursion, which was discovered last week, and
Anthem said it is likely that “tens of millions” of records were stolen. The
health insurer said the breach exposed names, birthdays, addresses and Social Security
numbers but doesn’t appear to involve medical information or financial details
such as credit-card or bank-account numbers, nor are there signs the data are
being sold on the black market.
Anthem, which offers Blue Cross Blue Shield plans in
California, New York and other states, said it doesn’t know precisely how many
people may be affected. So far, it appears that the attack detected last week
is the only breach of Anthem’s systems, and it isn’t yet clear how the hackers
were able to obtain the identification information needed to access the
database said Thomas Miller, the insurer’s chief information officer.
The insurer said it would reach out to everyone whose
information was stored in the hacked database with a letter and, where
possible, email. It is also setting up an informational website and will offer
to provide a credit-monitoring service.
Its decision to reveal the attack days after its discovery, even
as the investigation is getting under way, may signal a changing attitude among
corporate executives about rapid disclosures in the wake of breaches of
companies including Target Corp., Home Depot Inc. and Sony Pictures
Entertainment Inc.
Anthem’s Mr. Miller said the company wanted “to share the
information as soon as possible.” Federal law requires health-care companies to
inform consumers and regulators when they suffer a data breach involving
personally identifiable information, but they have as many as 60 days after the
discovery of an attack to report it.
Anthem, based in Indianapolis and formerly known as
WellPoint, covers around 37.5 million people. The hacked database included
information for some current and former customers as well as its own employees;
it also held medical and financial details, but the insurer said those details
don’t appear to be included in the data stolen by the hackers. The Anthem
incident could rank among the largest of recent attacks. The J.P. Morgan breach
compromised contact information for about 76 million households.
Anthem’s first sign of the attack came in the middle of last
week, when a systems administrator noticed that a database query was being run
using his identifier code although he hadn’t initiated it. Anthem quickly
determined that an attack had occurred, informed the Federal Bureau of
Investigation and hired Mandiant. Investigators tracked the hacked data to an
outside Web-storage service and were able to freeze it there, but it isn’t yet
clear if the hackers were able to earlier remove it to another location. The
Web storage service used by the hackers was one that is commonly used by U.S.
companies, which may have made the initial data theft harder to detect.
Click
here to access the full article on The Wall Street Journal.