80M records hacked at Anthem, nation's second-largest health insurer

The Washington Post
Thursday, Feb. 5, 2015 9:57 p.m. | Thursday, Feb. 5, 2015 9:57 p.m.

After Anthem hack, consumers should monitor accounts and credit reports; a question and answer

In one of the largest data breaches ever, health insurance giant Anthem Inc. said that as many as 80 million people may have had their personal information stolen in a massive hack.

Here is what you need to know: Question: Who is at risk?

Answer: Hackers gained access to a database that held records on people across all of Anthem's businesses, the company said. Those possibly affected are customers at large employers, people enrolled in Medicaid managed-care plans and individual policyholders. Both current and former members are at risk, as well as other Blue Cross Blue Shield patients from all 50 states who had sought care in Anthem's coverage area.

Anthem said information on customers' children was also taken, as was data of "Anthem Blue Cross employees who are currently covered, or who have received coverage in the past." It appears that doctors, hospitals and insurance brokers did not have their information accessed, the company said.

The accessed database had records on about 80 million people. Anthem said investigators are still assessing the extent of the breach and number of people directly affected. The company hasn't determined who is behind the attack.

Q: What was stolen?

A: Hackers obtained customers' names, Social Security numbers, dates of birth, member ID numbers, addresses, phone numbers, email addresses and employment information, Anthem said. Some of the customer data may also include details on their income.

Q: Anthem said its investigation has found no evidence that credit card or confidential health information was exposed.

A: How do I know whether I was affected?

Anthem said it has been working to identify members and groups affected since the breach was discovered last week. The company said it will mail notices to those whose data were compromised as soon as possible and will enroll those customers in identity repair services and give them information on free credit monitoring.

Customers with more questions can call (877) 263-7995 or visit www.anthemfacts.com.

Q: What can I do to protect myself?

A: Although Anthem said it appears no credit card data were stolen, the types of personal information accessed expose customers to identify theft. Customers should monitor their debit and credit card accounts and report any suspicious activity immediately, security experts said.

Tony Anscombe of AVG Technologies advised people to watch for emails that look as if they came from Anthem and not to click on suspicious-looking links. "If in doubt, contact Anthem to ensure it's an official communication," he said.

California Attorney General Kamala D. Harris said scammers, in emails or by phone, will falsely pose as the company that was attacked and offer to help consumers in a bid to steal more information. She said consumers can also call credit bureaus and place a 90-day "fraud alert" that will let merchants know there could be fraud on the account if someone applies for credit accounts in their name.

Anscombe also advised customers to monitor their credit reports to ensure someone isn't taking out a line of credit using their identities. Customers should also change their email and password combination on any online accounts if they were the same combination used with Anthem, he said.

The hack "is a very different issue compared to breaches at Target and Home Depot. Stealing medical IDs, Social Security numbers and addresses poses a much larger risk of identity theft since these details can be used to act and behave as the customer," Anscombe said.

— Los Angeles Times

Email Newsletters

The enormous computer breach against Anthem, the nation's second-largest health insurer, exposes a growing cyberthreat facing health care companies that experts say are often unprepared for large attacks.

Hackers gained access to the private data of 80 million former and current members and employees of Anthem in one of the largest medical-related cyber-intrusions in history.

Authorities said the breach, which was discovered late last month and disclosed this week, did not involve private health records or credit card numbers but did expose Social Security numbers, income data, birthdays, and street and email addresses.

Investigators suspect Chinese hackers may be responsible for the breach, according to an individual briefed on some aspects of the probe. There are some indications that other health care companies may have been targeted, said the individual, who spoke on the condition of anonymity to discuss the ongoing investigation.

Security experts said health care has become one of the ripest targets for hackers because of its vast stores of lucrative financial and medical information. Health insurers and hospitals, they added, have often struggled to mount the kinds of defenses used by large financial or retail companies, leaving key medical information vulnerable.

While medical records, such as treatment details or test results, were not compromised in what Anthem called “a very sophisticated attack,” experts say the breach underlines the potential for hackers to steal private health data, which is valued on the black market as tools for extortion, fraud or identity theft. Medical information could be exploited, for example, to file false insurance claims and buy prescription drugs, and attackers could extort cash from policyholders desperate to keep their private medical data under wraps.

“Health care records are the new credit cards,” said Ben Johnson, chief security strategist at cybersecurity firm Bit9 + Carbon Black. “If someone gets your credit card number, you cancel it. If you have HIV, and that gets out, there's no getting that back.”

Anthem, formerly known as WellPoint, covers 1 in 9 Americans through its affiliate health plans, including under the Blue Cross Blue Shield brands. The breach has “definite potential to be the largest” hack of a health care organization, although it is too early in the investigation to say definitively, said Vitor De Souza, a spokesman for FireEye, which owns the company helping with Anthem's security.

It wasn't only Anthem's customers whose data may have been compromised in the breach, Anthem spokesman Tony Felts said.

“Information from other Blue Cross and Blue Shield plans, not affiliated with Anthem, may have been accessed as part of this cyberattack,” Felts said. “The investigation is ongoing to determine the number of consumers affected.”

Highmark Inc., the nation's fourth-largest Blues company, declined to comment on whether its customers were among those hacked.

“Highmark is in contact with Anthem to gain additional insight about this issue and learn how it might impact our members. We will continue to follow the situation,” spokesman Aaron Billger said.

Attorney General Kathleen Kane's office is working with attorneys general in several states to investigate the breach, according to a statement from her office.

“It is unclear at this time how many Pennsylvania consumers may have been affected,” the office said.

The data breach could affect individual policyholders as well as those enrolled in managed-care plans through Medicaid. Anthem's chief executive, Joseph R. Swedish, was among those whose personal data were exposed. Anthem said it will notify current and former members whose information was breached, as well as provide free credit- monitoring and identity-protection services.

Once Anthem discovered the data breach Jan. 29, company officials contacted the FBI and retained Mandiant, a cybersecurity firm, to investigate the attack and review the insurer's defenses. The intrusion occurred in at least early December, or possibly earlier, according to a second individual briefed on the case, who spoke on the condition of anonymity.

Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, said he has seen Chinese government hackers target health care providers and insurers in the past six months for Social Security numbers and personal identifying information as well as health care information.

“China sucks up as much information as possible on a variety of people that could come in handy later,” he said.

China has been implicated in hacks on USIS, a major U.S. contractor that conducts background checks for the Department of Homeland Security. The Chinese have targeted state motor vehicle departments and other agencies with large databases, Alperovitch said.

“The more information the Chinese have about large segments of the American population, the easier it is for them to penetrate our military and intelligence agencies,” said Joel Brenner, former U.S. national counterintelligence executive. “They then have the health care information, the fingerprints and the real names of an enormous set of people, many of whom are prime recruits for our intelligence services or our military or who are already in our military. It's an enormous advantage in penetrating cover.”

Alex Nixon of Trib Total Media contributed.

Details