(Reuters) — Hackers have stolen personal information relating to current and former customers and staff of No. 2 U.S. health insurer Anthem Inc., after breaching an IT system containing data on up to 80 million people, the company said late yesterday.
Anthem, which has nearly 40 million customers in the United States, said it had reported the attack to the FBI and cybersecurity firm FireEye Inc. said it had been hired to help Anthem investigate the attack.
"We do confirm that this was done by an advanced group using custom malware," said FireEye spokesman Vitor De Souza, noting that Anthem employees identified the breach, which was limited to a window of a few days.
"We know across the board that when you do see something, you need to act fast", which Anthem appears to have done, De Souza said.
Anthem said in a statement that names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, had been accessed in what it described as a "very sophisticated attack".
The breach did not appear to involve medical information or financial details such as credit card or bank account numbers, Anthem said, adding it immediately made every effort to close the security vulnerability, which was discovered last week.
FireEye’s De Souza said the breached database contained information from about 80 million individuals, but the extent of stolen data is still unknown, as are the perpetrators and method of the cyberattack.
"That information is a treasure trove for cybercriminals. It can easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes," said Stuart McClure, CEO of cybersecurity firm Cylance Inc.
Cybersecurity has become a major concern both for U.S. firms facing a barrage of attacks as well as insurers trying to figure out how much of that risk they can afford to underwrite.
A high-profile attack against Sony Corp. (TYO:6758) Pictures Entertainment late last year brought the company headlines for everything from pay disparities among its employees to internal critiques about the studio’s own movies.
Other attacks have spooked consumers, with retailers Target and Home Depot both reporting the theft of such personal data as credit card numbers in recent years.
President Barack Obama’s recently proposed fiscal 2016 budget sets aside $14 billion to strengthen U.S. cybersecurity defenses, an increase of 10%.
Security cost
Cylance’s McClure, who has helped healthcare companies respond to previous breaches, said it typically costs health insurers at least $100 per stolen record to clean up this type of cyberattack. If 10 million records were stolen, the costs to respond would likely top $1 billion, he said.
That includes costs for setting up a hotline to answer customer questions, providing credit monitoring services and meeting state and federal government disclosure requirements.
Security experts say cybercriminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
One of the largest U.S. hospital operators, Community Health Systems Inc, last year said Chinese hackers had broken into its computer network and stolen the information of 4.5 million patients.
The percentage of healthcare organizations that have reported a criminal attack rose to 40% in 2013 from 20% in 2009, according to an annual survey by the Ponemon Institute think-tank on data protection policy.
Anthem spokeswoman Kristin Binns said the company has doubled its spending on cybersecurity over the past 4 years. The health insurer had 37.5 million medical members as of the end of December.
"This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information," U.S. Rep. Michael McCaul, a Republican from Texas and chairman of the Committee on Homeland Security, said in a statement late yesterday.
Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Anthem said it would send a letter and email to everyone whose information was stored in the hacked database. It also set up an informational website, www.anthemfacts.com, and will offer to provide a credit-monitoring service.
Connecticut and New York prosecutors reached out to Anthem today, with Connecticut attorney general George Jepsen asking Anthem CEO Joseph Swedish to provide detailed information about the cyberattack, the company’s security practices and privacy policies by March 4, according to a letter obtained by Reuters.
A representative for New York attorney general Eric Schneiderman said his office had contacted Anthem to discuss protecting its customers in wake of the data breach.
And President Barack Obama’s cybersecurity adviser said today that he was concerned about the breach.
"Obviously it’s quite concerning that we would have yet another intrusion of this size," Michael Daniel said at a seminar organized by Bloomberg Government.
"It’s particularly disturbing especially when it hits that many people," Daniel said, advising affected consumers to change their passwords and monitor their credit scores.
Daniel declined to comment further on the breach, which is under investigation by the FBI.