Hackers have stolen personal details of up to 80 million people from US health insurer Anthem in what could be the biggest cyber security breach to befall a healthcare provider.
Anthem is the second largest health insurer in the United States, insuring about 37.5 million people and their families. The company has stated that it’s likely that “tens of millions” of records have been stolen by cyber criminals.
The stolen records include names, dates of birth and Social Security numbers, but there are currently no signs that medical data or financial information has been taken.
If the information does make its way into the cyber criminal dark market, there’s potential for it to be sold for the purposes of committing fraud. However, Anthem believes this hasn’t happened – yet.
According to The Wall Street Journal, the single breach took place last week. Anthem CIO Thomas Miller is currently unsure as to how the hackers were able to break into the company’s networks, but that a system administrator noticed it had occurred when a query was being run in their name, despite having not initiated it.
Anthem has already set out a plan to contact all customers who may be affected by the breach and provide information on what precautions they should take to protect their personal data.
Charles Sweeney, CEO of web security firm Bloxx, welcomed the decision to make the hack public, but also voiced concern about the amount of personal data which has been stolen.
“Whilst Anthem’s customers will be relieved to know that no financial or health data is thought to have been stolen, the fact that so much personal data has been taken will be a serious concern for customers, who will no doubt be worried about identity theft,” he said.
“I am sure Anthem would advise its customers to be alert and on the look out for any suspicious activity in the coming weeks,” Sweeney added.
The FBI has already been brought in to investigate the case and “is aware of the Anthem intrusion and is investigating the matter”, said a spokesperson. The FBI also praised the healthcare provider for its “initial response in promptly notifying the FBI after observing suspicious network activity”.
Federal law gives companies 60 days to report cyber attacks after they’ve been discovered, which means Anthem has made the data theft public much faster than required to by law.
This is in a stark contrast with JPMorgan, America’s largest bank, which took weeks to inform 83 million households that their data could have been compromised.
The attack initially occurred in August, but JPMorgan didn’t reveal the extent of the damage until October.
US retailer Target also took a month to reveal the full extent of data stolen by hackers following a significant cyber attack in December 2013.