Health insurance giant Anthem Inc. said hackers had breached its computer system and that the personal information of tens of millions of customers and employees was possibly at risk.
The attack on the nation’s second-largest health insurer could be one of the largest data breaches in the healthcare industry, experts said. Anthem said hackers infiltrated a database containing records on as many as 80 million people.
Hackers appear to have accessed customers' names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, email addresses and employment information, Anthem said. Some of the customer data may also include details on their income.
At this point, it appears that the data stolen do not include medical information or credit card numbers, according to the company.
The data breach extended across all of Anthem's business, possibly affecting customers at large employers, individual policyholders and people enrolled in Medicaid managed-care plans.
Privacy advocates said the Anthem hack may pose even greater risks to consumers than previous breaches at big retailers such as Home Depot and Target.
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse in San Diego, said the wide array of personal information taken opens up more possibilities for mischief.
“You essentially have the keys to the kingdom to commit any type of identity theft,” Stephens said. “The information can be used not only to establish new credit accounts but also potentially penetrate existing accounts at financial institutions or a stock brokerage. The scope of the information involved is incredible.”
In a statement late Wednesday the company said: “Cyber attackers executed a very sophisticated attack to gain unauthorized access" to one of the company's computer systems and "have obtained personal information relating to consumers and Anthem Blue Cross employees who are currently covered, or who have received coverage in the past.”
Anthem said the information involved was not encrypted in its database. That drew immediate fire from some security experts.
“It is irresponsible for businesses not to encrypt the data,” said Trent Telford, chief executive of Covata, a data security firm in Reston, Va. “We have to assume the thieves are either in the house or are going to break in. They will always build a taller ladder to climb over your perimeter security.”
Anthem said additional encryption would not have thwarted the attack because an administrator’s credentials were compromised and security protocols were bypassed.
Anthem has more than 37 million members in California and 13 other states. But the company warned that it also had information in its database on other Blue Cross Blue Shield patients from all 50 states who had sought care in its coverage area.
Suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyber attack, the company said.
Cybersecurity analysts warned that the thieves may attack Anthem again using the employee data they took. Anthem said it’s working to strengthen security and identify any potential gaps.
“It is highly possible that they are preparing for another attack, such as a social engineering or phishing attack, that may give them access to systems that they were unable to reach,” said Tom DeSot, chief information officer of cybersecurity firm Digital Defense Inc. in San Antonio.
Anthem has had problems in the past.
In 2013, the company agreed to pay $1.7 million to resolve federal allegations that it exposed protected health information of 612,402 people online because of security weaknesses.
Federal officials said Anthem had inadequate safeguards in an online application database and left names, birth dates, Social Security numbers and health data accessible to unauthorized people.
The investigation by the U.S. Department of Health and Human Services found that the insurer didn’t adequately implement policies for authorizing access to the database and didn’t have technical safeguards in place to verify users.
Anthem and other health insurers already suffer from a poor reputation for customer service and increasingly they must sell coverage directly to individuals as the federal health law reshapes the health insurance business.
Analysts say Anthem will be under pressure to reassure consumers that it can be trusted with their sensitive information.
“The company will need to manage the crisis well,” said Ana Gupte, a healthcare analyst at Leerink Research, “to ensure it does not see any impact on membership.”
Anthem, formerly known as WellPoint, is California's largest for-profit health insurer and the top company by enrollment on the Covered California insurance exchange.
The data breach comes at a crucial time for Anthem. The company is trying to sign up thousands of people in Obamacare coverage before a Feb. 15 deadline as part of the Affordable Care Act. Anthem has more than 700,000 people enrolled in health-law coverage nationwide.
Anthem is the latest organization to be hit by a large-scale data breach. Major retailers, including Target, Home Depot, Michaels and Neiman Marcus have all suffered hacks recently.
In 2013, roughly 18.5 million Californians had their data stolen, according to a report from California Atty. Gen. Kamala Harris.
The wave of cyber attacks, including the recent hacking at Sony Pictures Entertainment, spurred President Obama during his State of the Union address to urge Congress to pass legislation to fight cyber attacks and identity theft.
The FBI, which is investigating the Anthem breach, complimented the company's quick response to the hack.
"Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," a statement from the FBI said. "Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible."
The company has established a website, www.anthemfacts.com, where members can access information about the situation.
There is also a dedicated toll-free number that current and former members can call if they have questions related to this incident: (877) 263-7995.
Some Anthem customers received an email notification about the incident late Wednesday from the company’s chief executive, Joseph Swedish.
In the email Swedish said he shared consumers’ frustration since his own personal information was also hacked.
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” Swedish wrote. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."
Technology experts said the Anthem incident could become one of the largest data breaches ever pending the outcome of the ongoing investigation.
"If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry,” said Jaime Blasco, vice president and chief scientist at AlienVault, a San Mateo, Calif., information security firm.
“For individuals, in a few words, it is a nightmare," he said. "If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes.”
Staff writer Ryan Parker contributed to this report.