Hackers Breached Data of Millions, Insurer Says

Anthem, one of the nation’s largest health insurers, said late Wednesday that the personal information of tens of millions of its customers and employees, including its chief executive, was the subject of a “very sophisticated external cyberattack.”

The company, which is continuing its investigation into the exact scope of the attack, said hackers were able to breach a database that contained as many as 80 million records of current and former customers, as well as employees. The information accessed included names, birthdays, addresses, email and employment information, including income data.

Anthem said no credit card information had been stolen, and it emphasized that it did not believe medical information like insurance claims or test results were compromised. It said hospital and doctor information was also not believed to have been taken.

Still, the attack, which was first reported by The Wall Street Journal, could be the largest breach of a health care company to date, and one of the largest ever of customer information.

Anthem said that the breach was detected on Jan. 29, and that the company was now working with the Federal Bureau of Investigation. The company said it had also hired Mandiant, a well-known cybersecurity firm, to look into vulnerabilities of its computer system.

In a letter to the company’s members, Joseph R. Swedish, Anthem’s chief executive, said he wanted “to personally apologize” for the security breach. He said his own personal information had been accessed and emphasized that the company was “working around the clock to do everything we can to further secure your data.”

Anthem operates health plans under numerous brands, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia and Empire Blue Cross and Blue Shield.

The company said it would begin notifying members in the coming weeks. In a statement, the F.B.I. said that it was investigating the breach, and that people should alert officials to any possible instances of identity theft.

Anthem set up a website, www.AnthemFacts.com, and a toll-free number, 1-877-263-7995, to respond to any questions. The company said it would provide free identity repair services and credit monitoring.

The last year has seen an increasing number of sophisticated and ever larger hacks on corporate networks and even on federal government social media accounts.

In December, Staples, the office supply retailer, said hackers had broken into the company’s network and compromised the information of about 1.16 million credit cards when they broke into the company’s network in October.

JPMorgan Chase, the nation’s largest bank, last summer said hackers had compromised some of the personal information of 83 million households and small businesses. But the bank has said that the attack was limited to nonfinancial information such as customer addresses, phone numbers and email addresses.

And in November, hackers that the United States government has said had ties to the North Korean government orchestrated a destructive attack on Sony Entertainment that resulted in a flood of confidential executive emails and personal information about employees and the company’s plans for coming movies.

Federal authorities believe the attack was in response to Sony’s plans to release the movie “The Interview,” a comedy about fictional plot to kill the North Korean leader Kim Jong-un.

The ever increasing threat of cyberattacks on United States companies, whether carried out by cybercriminals looking to steal information to make money or nation-state actors looking to send a message, has become a top priority for federal law enforcement.

The F.B.I. now ranks cybercrime as one of its top law enforcement activities, and President Obama’s recently proposed budget advocates sharply increasing spending on cybersecurity, to $14 billion.

Social Security numbers are a particularly popular target for hackers. Combinations of Social Security numbers, birth dates and names sell for more than even credit card numbers in an increasingly sophisticated black market, where such information is sold and resold through popular auction sites.

Law enforcement officials have openly said that keeping ahead of the hackers — many of whom are believed to live overseas — is a challenge. On Wednesday, Leo Taddeo, the F.B.I. agent in New York who oversees the cyber and special operations division, said at a financial services industry conference in New York that “we are losing ground” in the battle with hackers.

Other in law enforcement have said it is no longer a matter whether a company will be hacked but when it will be hacked.

The threat of a hacking is particularly acute in the health care and financial services industry, where companies routinely keep the most sensitive personal information about their customers on large databases.

“We have seen a huge in uptick in health care hacks,” said Vitor De Souza, vice president of communications for FireEye, the parent company of Mandiant.

Anthem learned of the hacking last week and called in Mandiant over the weekend. The company was not obligated to report the breach for at least several more weeks but chose to do so now to show that it was treating the matter seriously.

The F.B.I. praised Anthem for quickly alerting the authorities. “Anthem’s initial response in promptly notifying the F.B.I. after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” said Joseph Campbell, an F.B.I. spokesman, in an email statement.

Source: The New York Times