By Christine Kern, contributing writer
A sophisticated external cyberattack has hit the nation’s second-largest health insurance company.
Anthem Inc., the nation’s second-largest health insurance company, has reported it was hit by a highly sophisticated external cyber-attack that has left the account information of as many as 80 million customers vulnerable.
According to The Wall Street Journal, the attack was first identified when a systems administrator discovered a database query being run using his identifier code without being initiated by him. Anthem responded quickly, determined that a breach had occurred, and followed protocol by reporting it to the Federal Bureau of Investigation. They also engaged a cybersecurity service to investigate.
In the statement, President and CEO Joseph R. Swedish hastened to assure the insurer’s customers that, “These attackers gained unauthorized access to Anthem’s system and had access to names, birthdates, medical IDs/social security numbers, street addresses, email addresses, and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information were targeted or compromised.
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Anthem is fully cooperating with investigations by the FBI into the matter and has engaged Mandiant – the cybersecurity firm that exposed ongoing cyberattacks in 2013 by the People’s Liberation Army – according to Tech Crunch.
According to USA Today, the attack could affect as many as 80 million customers, a number that is double that of the Target data breach last year. Vitor De Souza, a spokesman for Mandiant, told USA Today that would make it “the largest health care breach to date.”
“The FBI is aware of the Anthem intrusion and is investigating the matter,” FBI spokesman Joshua Campbell told USA Today. “Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”
The breach is not subject to HIPAA rules, however, since no actual medical information appears to have been stolen. The 1996 Health Insurance Portability and Accountability Act governs the confidentiality and security of medical information.
Anthem has established a website, www.anthemfacts.com, where members can access information about the breach. There is also a toll-free number for current and former members to call, 877-263-7995.