San Francisco-based health insurer Anthem informed millions of its customers via e-mail Thursday morning that hackers had gained access to the company's computers. Customers’ names, birth dates, Social Security numbers, addresses and employment data might have been stolen in the breach, first announced late Wednesday.
The attack could affect as many as 80 million current and former customers of Anthem. No credit card information was accessed in the attack, according to Anthem, which operates in 14 states, including California and New York, and is the nation's second-largest health insurance company. There does not seem to be any information about who was responsible for the hack or how they breached Anthem's systems.
The company said that its databases also contained information on Blue Cross-Blue Shield patients from all 50 states. "Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection free of charge so that those who have been affected can have piece (sic) of mind," Anthem President and CEO Joseph Swedish said in the e-mail to users.
The company is still looking into exactly how many records were actually stolen but said it believed it was in the tens of millions. The database that was infiltrated contained records for 80 million people. If that database file was taken it would be the largest healthcare breach to date, according to Mandiant, the computer security company Anthem has hired to evaluate its systems.
We reached Stu Sjouwerman, CEO of Clearwater, Fla.-based security firm KnowBe4, who told us the Anthem story was unusual in that the company discovered and reported the breach itself. He added that as a result of the breach, customers as well as human resource and finance firms will likely receive a flood of phishing e-mails disguised as notifications from Anthem.
Sjouwerman also said that the records breached are especially valuable to criminals. "This should put all healthcare companies on notice," he said. "In the underground cyber market, healthcare records can bring $50 each and up. Compare that to credit card records, which generally bring only a dollar or two each."
Anthem discovered the breach last week. The e-mail sent to the company’s customers on Thursday morning contained only a link to a company Web site, www.AnthemFacts.com, and a toll-free number to call. Customers were asked not to send in any information. If customers whose information has been stolen suspect identity theft, they should report it to the FBI's Internet Crime Complaint Center at www.ic3.gov, according to Anthem.
Be on Watch
Other than customer medical identification numbers, no actual medical information appears to have been stolen in the data breach. If no medical information was stolen, the breach would not be covered under HIPAA rules, the 1996 Health Insurance Portability and Accountability Act that governs the confidentiality and security of medical information.
Attacks against the healthcare industry are the most common of those compiled by the Identity Theft Resource Center, with about 42.5 percent of all data breaches in 2014 being directed toward companies in that sector.
Sjouwerman noted that smaller healthcare companies don’t necessarily have less to worry about since they presumably have less to lose. "A super hack like this is rare," he said. "Small-to-medium healthcare enterprises are the preferred target of cybercriminals because they don’t have the dedicated budget and staff to fight it."
Posted: 2015-02-07 @ 1:30pm PT
If you get an email supposedly from Anthem about the data breach... DO NOT click on any of the links in that email. It's part of an elaborate cybercrime phishing scheme to gather even more data from people whose records were stolen from Anthem in the latest hack attack.