Anthem (NYSE:ANTM), the nation’s second-largest health insurer, said last night that it was the victim of an external cyberattack. The FBI and security researchers are still working to figure out the scope of the attack, but they’ve been able to confirm that hackers got into a database that had up to 80 million past and present customer records, as well as records of employees.
No one is yet sure what was taken, but Anthem suspects that the criminals got names, addresses, email addresses, employment-related information and dates of birth. But there’s a lot we don’t know. No credit card data is believed to have been stolen. No medical records — including test results, doctor information or insurance claims — are believed to have been stolen. But this hasn’t been confirmed. No one is sure who attacked the system. No one is sure how much this will cost Anthem in the end.
I spent the night on the phone with security researchers who are figuring out the scope of the attack. They work with a health-care-focused, information sharing security organization called the National Health Information Sharing and Analysis Center, or NH-ISAC. I’ve written about this group before, which is trying to beef up the industry’s cyber defenses:
Most of the industries that are considered part of the country’s critical infrastructure have an ISAC, such as aviation (A-ISAC), defense (DIB-ISAC) and financial services (FS-ISAC). These groups were created during the past decade or so as a way to let companies in a given sector share information about data breaches. Financial services, which have taken security seriously for longer than most of corporate America, started its ISAC in 1999. The health-care ISAC came much later, opening in 2010.
They say that it’s too early to know how big the breach is, but that it has the potential to be twice as large as the Target hack. It was first detected a week ago. Anthem has a website and hotline customers can use as resources. Anthem customers received emails last night saying that they will get free identity repair and credit monitoring services.
Health care is a particularly enticing target for hackers because it involves a huge web of companies that all have access to particularly sensitive data. This breach should be taken very seriously amid the current movement to digitize records, especially health records — any electronic file that’s attached to the Internet can be breached.