Health giant Anthem hacked

Health insurance giant Anthem Inc. said hackers had breached its computer system and the personal information of tens of millions of customers and employees was possibly at risk.

The attack on the nation’s second-largest health insurer could be one of the largest data breaches in the health care industry, experts said. Anthem said hackers infiltrated a database containing records on as many as 80 million people.

Hackers appear to have accessed customers’ names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, email addresses and employment information, Anthem said. Some of the customer data may also include details on their income.

At this point, it appears that the data stolen do not include medical information or credit card numbers, according to the company.

The data breach extended across all of Anthem’s business, possibly affecting customers at large employers, individual policyholders and people enrolled in Medicaid managed-care plans.

In a statement late Wednesday the company said: “Cyber attackers executed a very sophisticated attack to gain unauthorized access” to one of the company’s computer systems and “have obtained personal information relating to consumers and Anthem Blue Cross employees who are currently covered, or who have received coverage in the past.”

Anthem said the information involved was not encrypted in its database. That drew immediate fire from some security experts.

“It is irresponsible for businesses not to encrypt the data,” said Trent Telford, chief executive of Covata, a data security firm in Reston, Virginia. “We have to assume the thieves are either in the house or are going to break in. They will always build a taller ladder to climb over your perimeter security.”

Anthem has more than 37 million members in California and 13 other states. But the company warned that it also had information in its database on other Blue Cross Blue Shield patients from all 50 states who had sought care in its coverage area.

Suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyberattack, the company said. The unauthorized access to the vast database goes back to Dec. 10.

Cybersecurity analysts warned that the thieves may attack Anthem again using the employee data they took. Anthem said it’s working to strengthen security and identify any potential gaps.

“It is highly possible that they are preparing for another attack, such as a social engineering or phishing attack, that may give them access to systems that they were unable to reach,” said Tom DeSot, chief information officer of cybersecurity firm Digital Defense Inc. in San Antonio.

Anthem has had problems in the past.

In 2013, the company agreed to pay $1.7 million to resolve federal allegations that it exposed protected health information of 612,402 people online because of security weaknesses.

Federal officials said Anthem had inadequate safeguards in an online application database and left names, birth dates, Social Security numbers and health data accessible to unauthorized people.

The investigation by the U.S. Department of Health and Human Services found that the insurer didn’t adequately implement policies for authorizing access to the database and didn’t have technical safeguards in place to verify users.

The company has established a website, www.anthemfacts.com, where members can access information about the situation.