NEW YORK (CBSNewYork/AP) — Hackers broke into a health insurance database storing information for about 80 million people in an attack bound to stoke fears many Americans have about the privacy of their most sensitive information.
Anthem, the nation’s second-largest health insurer, said it has yet to find any evidence that medical information like insurance claims or test results was targeted or taken in a “very sophisticated” cyberattack that it discovered last week. It also said credit card information wasn’t compromised, either.
“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” CEO Joseph Swedish said in statement. “Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.”
The hackers did gain access to names, birth dates, email address, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past.
An Anthem spokeswoman said Thursday the insurer was working with federal investigators to figure out who was behind the attack. They had not pinned down the exact number of people affected.
Gary Miliefsky, an Anthem customer, also happens to be a cyber security expert. He told CBS2’s Hazel Sanchez on Thursday, “I found out that I’m a victim today, along with 80 million others.”
Miliefsky said he believes the insurance company was victimized by the same type of sophisticated malicious software used in the SONY Pictures breach.
He encouraged customers to sign up for fraud alerts.
“We’ve got to have to start watching monitoring financial statements, bank statements, medical statements much more carefully then we wanted as consumers because of this breach,” Miliefsky said.
Anthem Inc., which recently changed its name from WellPoint, runs Blue Cross Blue Shield plans in more than a dozen states, including California, New York and Ohio. It covers more than 37 million people.
Cybersecurity experts say these hackers may not be done with the insurer, and health records are becoming more attractive to them, as previous targets like the retailers Target and Home Depot shore up their defenses.
“To me, this is the next wave of where we’re going to see more and more attacks,” said Mark Bower, a vice president with the cybersecurity firm Voltage Security. “Cybercrime is a business. The attackers will simply move to the next low-hanging fruit.”
Bower said security practices in health care are not as mature as they are in other industries, and hackers have multiple ways to get into a health care system that links insurers, care providers, labs and other businesses that handle sensitive patient information.
Medical records can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.
“That’s the kind of sophistication we have in cybercrime,” Bower said. “We have networks of criminals who can use this data whenever its available based on their skill set.”
Medical data also can be used to extort patients, with the hacker demanding money to prevent the public release of sensitive information, said Eran Barak, CEO of another cybersecurity firm, Hexadite.
He added that the attack may have been a probe to test the insurer’s defenses, with hackers planning to return for more information or installing malware that steals data.
The insurer said all of its product lines were affected. It sells mainly private individual and group health insurance, plans on the health care overhaul’s public insurance exchanges and Medicare and Medicaid coverage. It also offers life insurance and dental and vision coverage.
Government programs are a major business for Anthem. It offers Medicare Advantage health insurance plans, Medicaid managed care coverage, as well as subsidized insurance under the president’s health care law.
Affected brands include Anthem Blue Cross, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield and Amerigroup.