Insurance giant Anthem Inc. suffered a massive data breach exposing the personal information of up to 80 million Americans — and it could have been even worse for consumers.
The hackers didn’t take sensitive medical information on patients or their credit card data, according to the company, even though it was stored alongside Social Security numbers and other personal information that were stolen.
For several weeks last month, hackers infiltrated the key database of customer and employee information at the nation’s second-largest health insurer. The company stumbled upon the attack last week and then scrambled to alert customers and authorities.
The intrusion is raising fresh questions about the ability of giant health insurers and other medical providers to safeguard the vast troves of electronic medical records and claims data they are stockpiling.
All this comes at a time when Anthem is spearheading an ambitious effort to build a controversial database of medical records on 9 million Californians for use by hospitals and doctors.
In light of the data breach, patient advocates called on consumers to boycott the Anthem-led California Integrated Data Exchange, or Cal Index, as it prepares to launch this year. California’s insurance commissioner said he and other regulators will examine whether the Indianapolis-based company is doing enough to prevent future breaches.
The federal government had put Anthem on notice in 2013 about its computer vulnerabilities, and last year the FBI warned healthcare companies about the growing threat of cyberattack on the industry.
“The ability of healthcare companies to compile data has grown far faster than their ability to protect it,” said Alan Sager, a health-policy professor at Boston University. “For too many organizations it’s more about maximizing revenue, while protecting patient confidentiality ranks at the bottom.”
The hackers broke into one of Anthem’s databases sometime around early January, according to people familiar with the investigation. An Anthem employee noticed a large query running in the database on Jan. 27 using his log-in information and reported the suspicious activity.
Two days later, an internal investigation verified that the company was a victim of a cyberattack, the company said, and federal authorities were alerted.
Anthem said hackers accessed customers’ names, dates of birth, Social Security numbers, addresses, phone numbers, email and employment information. Some of the customer data may also include details on their income.
The data breach extended across all of Anthem’s business, possibly affecting customers at large employers, individual policyholders and people enrolled in Medicaid managed-care plans. It also involved data on company employees. The full extent of the data breach and the fallout for consumers remains unknown.
The initial investigation and analysis by outside experts has pointed to the possibility of professional hackers in China. Cybersecurity firms pointed to similarities between the Anthem hack and one last year at Tennessee-based hospital chain Community Health Systems Inc.
In that hospital attack, hackers stole information on about 4.5 million patients. Like Anthem, a wide array of personal information was taken — but no clinical or credit card data.
The hospital chain said a hacker in China bypassed its security measures. Both Anthem and the FBI declined to comment on who may be behind the attack as investigations continue.
Federal investigators praised Anthem for quickly notifying authorities about the suspicious activity. In other cases, companies haven’t reported a data breach until outside analysts alert them to the problem.
Joseph Swedish, Anthem’s chief executive, apologized to customers and vowed to do everything possible to protect their data going forward.
The company said it was hit by a “very sophisticated attack” and it has had success in the past thwarting similar attempts. It identifies about 200 credible attempts against its data networks each month.
In response, Anthem said it has doubled its spending on cybersecurity in the past four years and it has 200 employees dedicated to monitoring and safeguarding its networks.
“Our ability to detect this and secure the environment immediately speaks to the seriousness we pursue this with,” said Anthem spokeswoman Kristin Binns.
Anthem said the information involved was not encrypted in its database, drawing intense criticism from some security experts. But the company said additional encryption would not have stopped the attack because an administrator’s credentials were compromised and security protocols were bypassed.
UnitedHealth Group Inc., the nation’s largest health insurer, said it was monitoring its own systems closely in light of the Anthem attack.
Consumer advocates said the issue of whether Anthem was largely at fault or the victim of a clever attack misses the point that no healthcare database is safe.
“This thirst for more and more data from the medical industry inevitably places consumers’ health information at risk,” said Carmen Balber, executive director of Consumer Watchdog, a Santa Monica advocacy group. “It’s not fair to consumers for these companies to create one-stop shopping for data thieves.”
Her organization and other patient privacy groups urged Californians Thursday to opt out of Cal Index, the Anthem-backed patient database. A spokesman for Cal Index said it has “robust systems in place” to protect data.
This was not the first such slip-up by Anthem.
In 2013, the company agreed to pay $1.7 million to resolve federal allegations that it exposed protected health information of 612,000 people online because of security weaknesses.
Federal officials said Anthem had inadequate safeguards in an online application database and left names, birth dates, Social Security numbers and health data accessible to unauthorized people.
In other lapses, Anthem accidentally posted the Social Security or tax identification numbers for more than 24,000 California doctors in its online provider directory in 2013. Two years earlier, the company mailed letters to about 30,000 customers with their Social Security numbers visible through the envelope window.
“Anthem does not have a very good track record of protecting the information entrusted to them,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse in San Diego.
The wide array of personal information pilfered from the company could pose even greater risk to consumers than previous breaches at big retailers such as Home Depot and Target.
“You essentially have the keys to the kingdom to commit any type of identity theft,” Stephens added.
Some Anthem customers received an email notification about the incident late Wednesday from Swedish, the company’s chief executive. The company also established a website, https://www.anthemfacts.com, where members can learn more about the situation as well as a hotline at (877) 263-7995.
In the email Swedish said he shared consumers’ frustration since his own information was also hacked.
“We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” Swedish said.
Brett Winton, a financial consultant in Venice and Anthem Blue Cross policyholder, said he wasn’t entirely surprised by news of the hack considering his frustration dealing with Anthem’s computer system as a customer.
“From dealing with their IT system on the front end as a customer,” Winton said, “my impression is they don’t know what they are doing.”
Anthem has more than 37 million members in California and 13 other states. But the company warned that it also had information in its database on other Blue Cross Blue Shield patients from all 50 states who had sought care in its coverage area.
Anthem and other health insurers already suffer from a poor reputation for customer service, and they increasingly must sell coverage directly to individuals as the federal health law reshapes the health insurance business.
“Healthcare companies like Anthem have got to invest far more effort and resources in data security to regain public trust,” said Gerald Kominski, director of the UCLA Center for Health Policy Research.