Health insurer Anthem said hackers infiltrated its computer network and gained access to personal information for “tens of millions” of customers and employees, including CEO Joseph Swedish.
The nation’s second-largest health insurer said it was contacting customers affected by what it calls a “very sophisticated” cyberattack that the company discovered last week. It said hackers gained access to names, birthdates, email address, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past.
The Indianapolis-based insurer said credit card information wasn’t compromised, and it has yet to find evidence that medical information such as insurance claims and test results was targeted or obtained. It was still trying to determine exactly how many people were affected.
A spokeswoman said the insurer was working with federal investigators to figure out who was behind the attack.
Anthem Inc., which recently changed its name from WellPoint, runs Blue Cross Blue Shield plans in more than a dozen states, including California, New York and Ohio. It covers more than 37 million people.
The insurer said all of its product lines were affected. It sells mainly private individual and group health insurance, plans on the health care overhaul’s public insurance exchanges and Medicare and Medicaid coverage. It also offers life insurance and dental and vision coverage.
Affected brands include Anthem Blue Cross, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield and Amerigroup.
Anthem said Wednesday evening that the FBI is investigating and the company has hired Internet security company Mandiant to improve its network defenses. The insurer will provide free credit monitoring and identity protection services.
The FBI urged Anthem customers contacted by the insurer to report suspected instances of identity theft.
In 2013, the insurer agreed to pay $1.7 million to resolve allegations it left the information of more than 612,000 members available online because of inadequate safeguards. The U.S. Department of Health and Human Services said that security weaknesses in an online application database left names, birthdates, addresses, telephone numbers, Social Security numbers, and health data accessible to unauthorized users.
The Health and Human Services Department said then that the insurer didn’t have adequate policies for authorizing access to the database, didn’t perform a needed technical evaluation after a software upgrade, and did not have technical safeguards to verify that the people or entities seeking access were authorized to view the information in the database.
In 2008, the insurer offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.
Swedish, who was not running the company when those security breaches occurred, apologized to customers on a website that the insurer established to explain the latest problem, www.anthemfacts.com.
“We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem,” he said.
Anthem shares sank 2.6 percent, or $3.65, to $134 in premarket trading about an hour before the market open Thursday.
(AP)