(Bloomberg) — Anthem Inc. (NYSE:ANTM) said hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack that has led to a Federal Bureau of Investigation probe.
The information compromised includes names, birthdates, Social Security numbers, street and e-mail addresses and employee data, including income, Anthem said in an e-mail. The company will notify customers who were affected and provide credit and identify-theft monitoring services for free, Chief Executive Officer Joseph Swedish said in a letter to members.
“As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” Anthem said. The Indianapolis-based company, formerly known as WellPoint, didn’t provide information on how the breach occurred or when it was discovered.
The Anthem breach is the biggest in the health-care industry since Chinese hackers stole Social Security numbers, names and address from 4.5 million patients of Community Health Systems Inc., the second-biggest for-profit hospital chain, last year. The attack is on a similar scale to hacks of customer data from Target Corp. and Home Depot Inc. last year in terms of the number of people affected.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes strict privacy and data security requirements on holders of personal health information.
“This attack is another reminder of the persistent threats we face,” U.S. Rep. Michael McCaul, a Texas Republican who leads the Homeland Security Committee, said in a statement.
It’s not known yet where the attack came from or how the hackers got inside Anthem’s computer systems, said Vitor De Souza, spokesman for FireEye Inc., whose Mandiant division was hired this weekend to investigate the breach and began sending specialists to Anthem’s headquarters.
What is known is that the malicious software used to infiltrate the network and steal data was customized, which can be a sign of an advanced attacker, and is a variant of a known family of hacking tools, De Souza said. What’s rare in this case is that Anthem discovered the breach itself, instead of being alerted to it by a third party such as a bank or a credit-card company, De Souza said. Such organizations are often the first to detect fraud and link stolen data to a hacking attack.