Hackers infiltrated Anthem's information technology system and gained access to the personal information of about 80 million current and former members. It appears to be by far the largest cyberattack ever disclosed by a healthcare company.
In what the Indianapolis-based company described as a "very sophisticated" attack, hackers gained access to the names, birthdays, medical IDs, Social Security numbers, addresses, e-mail addresses, employment information and income data of current and former members, including Anthem employees, according to a letter to customers by CEO Joseph Swedish. The company has no evidence that credit card or medical information, such as claims, test results or diagnostic codes were "targeted or compromised," Swedish wrote.
The source of the attack is unclear. All product lines were impacted, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, and Blue Cross and Blue Shield of Georgia, among other brands. Anthem (formerly WellPoint) has 37.5 million members enrolled in its affiliated health plans and serves 68.5 million people through all of its subsidiary businesses, which include Medicaid managed care and claims administration for self-funded plans.
Anthem is cooperating with an FBI investigation into the attack, and has contacted Mandiant, a major cybersecurity firm, to determine the vulnerabilities in its systems. Swedish notes in the letter that, along with his employees, his own personal information was accessed in the breach.
"I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information," Swedish wrote. "We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."
The Health Information Trust Alliance, a healthcare data security collaborative, said in a statement that Anthem has been collaborating with the HITRUST Cyber Threat Intelligence and Incident Coordination Center, or C3, by sharing some evidence related to the attack.
By anonymously sharing the information with C3 participants, HITRUST was able to determine that Anthem was the sole target of the attack. The IT security organization said Anthem took the steps necessary to prepare itself for a significant attack.
"We believe that Anthem's adoption of strong information security controls, comprehensive assessment process, participation in cyber preparedness exercises and cyberthreat information sharing were crucial in their ability to detect, analyze, remediate and collaborate swiftly and effectively," HITRUST said.
Anthem has pledged to continue to share information with HITRUST, the organization said.
The attack on Anthem dwarfs what was previously the biggest known healthcare breach attribute to hackers. That was last year when Community Health Systems, the Franklin, Tenn.-based hospital chain, was targeted by an attack originating in China. CHS said at the time it believed the hackers were hunting for intellectual property on medical devices but instead stole patient information belonging to 4.5 million patients of its physician practices.
Anthem intends to individually notify affected individuals and provide credit monitoring and identity protection services free of charge. It also created a website and a hotline for questions related to the incident.
Follow Adam Rubenfire on Twitter: @arubenfire