Menu Close

Anthem is the nation’s second-largest health insurer, operating Blue Cross and Blue Shield plans in 14 states including California. Company officials report that Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from up to 80 million current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. No information is available about the status of any information in its database arising out of Workers’ Compensation MPN services.

Anthem officials became aware of the breach when one of their senior administrators noticed someone was using his identity to request information from the database. Once the attack was discovered, Anthem said it immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.

Anthem will individually notify current and former members whose information has been accessed. It will provide credit monitoring and identity protection services free of charge. Anthem created a dedicated website – www.AnthemFacts.com – where members can access information such as frequent questions and answers. It has also established a dedicated toll-free number that both current and former members can call if they have questions related to this incident. That number is: 1-877-263-7995.

The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee. “This is one of the worst breaches I have ever seen,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group. “These people knew what they were doing and recognized there was a treasure trove here, and I think they are going to use it to engage in very sophisticated kinds of identity theft.”

The decision by Anthem to bring in the Federal Bureau of Investigation and go public with the breach is the kind of move that law enforcement officials have been encouraging for the last several months. F.B.I. officials have appeared at a number of industry conferences urging corporate executives to promptly report breaches and, when possible, share information about the breach with competitors.

The cyberattack points to the vulnerability of health care companies, which security specialists say are behind other industries in protecting sensitive personal information. Experts said the information was vulnerable because Anthem did not take steps, like protecting the data in its computers though encryption, in the same way it protected medical information that was sent or shared outside of the database. While the health industry has not previously experienced the large-scale breaches that have plagued retailers like Target and Home Depot, there have been smaller attacks. Statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services say there have been 740 major health care breaches affecting 29 million people over the last five years. But the information that health providers maintain about consumers tended to be more valuable on the black market than the credit card information that is often stolen from on a retailer.

Katherine Keefe, global focus group leader for breach response services at Beazley, which underwrites cyberliability policies, said “The value to a criminal of having a full set of medical information on a person can go for $40 to $50 on the street. By contrast, a credit card number is often worth $4 or $5,” The information can be used to impersonate hacking victims to obtain medical care or to purchase expensive medical equipment such as motorized wheelchairs. It often takes health-care providers longer to detect this type of fraud than credit card companies or banks, which are constantly looking for inconsistencies that could signal a problem. That also means it can be more time consuming and costly for victims to correct, experts say. Criminal attacks on health-care organizations increased 100 percent between 2009 and 2013, according to a report on patient privacy by think tank the Ponemon Institute. About 40 percent of health organizations reported facing criminal cyberattacks in 2013, the report said.