Health insurer Anthem hit by huge data breach

It's being called the largest data breach in the healthcare industry, and it provides yet one more cautionary tale for retailers.

Health insurer Anthem said late Wednesday it was the target of "a very sophisticated cyber attack" that put as many as 80 million people at risk of identity theft as names, Social Security numbers, birthdates, addresses, e-mail addresses, employment information and income data were stolen. There is no evidence that credit card or medical information was compromised, the company reported.

Anthem employees, including President and CEO Joseph Swedish, were among the victims, as were former customers of the insurer. A letter was sent by Swedish this morning to those affected.

"Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world's leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape," Swedish wrote.

Anthem established a website—as well as a toll free number, 877-263-7995—to provide information about the breach.

The San Jose Mercury News reported that federal investigators suspect hackers backed by China's government were behind the breach.

USA Today reported that Anthem discovered the breach last week. "That is very good news, as two-thirds of the time when we respond, the victim was notified by someone else," said Vitor De Souza, spokesman for FireEye, which owns Mandiant.

If medical information was not stolen, the breach would not come under HIPAA rules. The federal Health Insurance Portability and Accountability Act governs the security and confidentiality of such data.

However, "the personally identifiable information they got is a lot more valuable than the fact that I stubbed my toe yesterday and broke it," Tim Eades, CEO of computer security firm vArmour told USA Today.

Healthcare has become more of a focus for hackers after breaches at companies like Home Depot and Target have caused retailers to increase security.

According to online security experts, healthcare companies can provide many entry points into their systems for hackers to steal data. Once that information is obtained, far more extensive and lucrative schemes can be hatched.

"If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly," Tony Anscomb, a security expert with the cyber-security firm AVG Technologies told the Associated Press. "With medical records and a Social Security number, it's not so simple."

For more:
- See Anthem's letter to its members
- See Anthem's frequently asked questions
- See this San Jose Mercury News story
- See this Associate Press story
- See this USA Today story

Related stories:
Retail groups take banks to task over data breach responsibility
FBI issues malware alert
Asset management critical to IT security
Shoppers don't feel safe, demand to be compensated for security breaches
Retail security still very much under attack