Anthem Inc., the second-biggest U.S. health insurer, said hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack that has led to a Federal Bureau of Investigation probe.
The breach potentially exposed personal information for as many as 80 million customers.
The information compromised includes names, birthdates, Social Security numbers, street and email addresses and employee data, including income, Anthem said in an email. The company will notify customers who were affected and provide credit and identify-theft monitoring services for free, CEO Joseph Swedish said in a letter to members.
“As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” Anthem said. The Indianapolis-based company, formerly known as WellPoint, didn’t provide information on how the breach occurred or when it was discovered.
The Anthem breach is the biggest in the health-care industry since Chinese hackers stole Social Security numbers, names and address from 4.5 million patients of Tennessee-based Community Health Systems Inc., the second-biggest for-profit hospital chain, last year. The attack is on a similar scale to hacks of customer data from Target Corp. and Home Depot Inc. last year in terms of the number of people affected.
“This attack is another reminder of the persistent threats we face,” U.S. Rep. Michael McCaul, a Texas Republican who leads the Homeland Security Committee, said in a statement.
It’s not known yet where the attack came from or how the hackers got inside Anthem’s computer systems, said Vitor De Souza, spokesman for FireEye Inc., whose Mandiant division was hired this weekend to investigate the breach and began sending specialists to Anthem’s headquarters.
What is known is that the malicious software used to infiltrate the network and steal data was customized, which can be a sign of an advanced attacker, and is a variant of a known family of hacking tools, De Souza said. What’s rare in this case is that Anthem discovered the breach itself, instead of being alerted to it by a third party such as a bank or a credit-card company, De Souza said. Such organizations are often the first to detect fraud and link stolen data to a hacking attack.
Investigators were able to track the stolen data to an Internet storage service that the attackers were using to warehouse their pilfered information, De Souza said.
He added that Mandiant, which has investigated such big-name breaches as Sony Pictures Entertainment and JPMorgan Chase & Co., is seeing more attacks against health care companies, which are repositories of personal information that can be used for all kinds of fraud.
“We have seen a large uptick in health-care attacks—health care is now a common vector of attack,” he said. “You have your traditional ones, government, finance, high-tech and critical infrastructure are dominating, but healthcare and legal stand out as among the fastest-growing attack vectors in the world.”
Aetna Inc., the third-largest U.S. insurer, said in 2009 it was notifying about 65,000 people that their personal information, including Social Security numbers, may have been compromised on a job applicant site.
Social Security numbers are among the worst kind of data to have stolen, because they are difficult to change and are used pervasively, especially for access to medical care, government services and opening new lines of credit.
Most large breaches, such as Target’s, involve payment-card numbers, as those are of most immediate and easiest use for cyber-criminals, who exploit the gap between when information is taken and when companies discover a breach to withdraw cash from ATMs and run up fraudulent charges before the cards are canceled. For cyber-criminals, Social Security numbers are more useful, in that they can be used to validate people to lenders, but they require the extra step of setting up new accounts, which some online crooks find too time-consuming and risky.