Personal data from as many as 80 million current and former customers of Anthem, one of the nation’s largest health insurers, has been breached by outside hackers.
Joseph R. Swedish, Anthem president and chief executive officer, said the company was the victim of a “very sophisticated external cyberattack.”
He added the company is working with the Federal Bureau of Investigation (FBI) to determine who was responsible.
The attackers were able to access data from current and former Anthem customers, including names, birthdays, social security numbers, street addresses, and employment data.
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results, or diagnostic codes were targeted or compromised,” Swedish wrote on the company’s website.
The Wall Street Journal reported Anthem became aware of the attack Jan. 29 when a system’s administrator noticed an outside database query was being run with his identifier code.
The hacked data was tracked to a common web-storage service, but investigators have yet to determine where the breach came from, the Journal reported.
Since the breach, Anthem has hired the services of Mandiant, a U.S. cybersecurity firm.
The Anthem breach could be one of the largest security breaches in history. Other recent hacking attacks — including on giants like Staples, Home Depot, and JPMorgan Chase — have highlighted the importance of security for big databases of citizen records.
The FBI has named cybersecurity as one of their top enforcement priorities.
A Need for Better Firewall Protection
Steven M. Bellovin, a computer science professor at Columbia University and member of the Department of Homeland Security’s Science and Technology Advisory Committee, told Healthline these types of security breaches involve multiple steps.
“In this case, it sounds like someone got into the Anthem network and hacked the administrator’s system and used it to steal his password. After that, they were able to get into the system,” Bellovin said.
Since the attack, Anthem has been criticized for not having encryption on its databases, but Bellovin said encryption wouldn’t have done much good in this case, considering how often the database is accessed by hospitals and other organizations.
“Encryption is like a lock. You need a key. You can have a lock on your house that is good and strong, but if you leave the key under the doormat, a burglar is going to find it,” Bellovin said. “You have to protect the key; otherwise it’s the same as leaving the door wide open.”
Based on previous data breaches of this size, Bellovin said companies need better firewall protection to protect sensitive data. More importantly, when these attacks occur, information needs to be shared quickly with everyone involved in the company’s security to prevent them from occurring again.
“That’s why airplanes are so safe today, because we’ve learned from previous plane crashes. Now that we know, some of these things won’t happen again,” he said. “I’m asserting that some of these cyberbreaches have become so serious that there’s a societal interest to find out what goes wrong. We need to know what happened — both Anthem and society as a whole — to prevent attacks like these from continuing.”
The Average Person Shouldn’t Worry
In the meantime, Bellovin assures the average Anthem patient whose information has been compromised that they have little to worry about.
“In a case like this, the basic advice is not to worry, and the reason is that there are two possibilities: they want specific information from someone or they grabbed the whole thing,” he said. “They can’t use 80 million social security numbers. They don’t have that kind of use, so they’re probably not going to be used.”
Those targeted, Bellovin said, would be people doing business abroad, such as people working in defense contracting.
“If it was random, the law of averages says you’re going to be fine,” Bellovin said. “If it’s a targeted attack, you should be aware.”
A spokesperson for Anthem told Healthline the company will be individually notifying customers whose information has been accessed and will be providing free credit monitoring and identity protection services.
Past and present Anthem customers can call 1-877-263-7995 with any questions.