Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history.
The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Anthem said there is no evidence that credit card or medical information was compromised. While damage is still being assessed, the compromised database contained up to 80 million customer records.
Formerly known as Wellpoint, Anthem is the second-largest health insurer in the United States. The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink.
Anthem pledged to individually notify current and former customers if their data has been stolen, and by late Wednesday evening, some members reported receiving e-mails from the insurer informing them of the breach. Anthem will offer free credit monitoring and identity protection services to affected customers.
“Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” CEO Joseph Swedish said in a letter to customers.
Anthem said the breach resulted from a “very sophisticated external cyber attack,” and that law enforcement agencies were still working to identify the perpetrator. The company has retained Mandiant, a leading cybersecurity firm, to help in the investigation.
The insurer is the latest in a series of companies to suffer severe data breaches. Last year, hackers obtained credit card data for 40 million Target shoppers, as well as personal information — including names, addresses, phone numbers and e-mail addresses — for 70 million customers.
Records have also been stolen from Neiman Marcus, JPMorgan Chase, Experian, eBay and Home Depot.
The Federal Bureau of investigation said that it was aware of the intrusion, and was investigating the matter. The agency also praised Anthem’s decision to quickly address the breach.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” the FBI said. “Speed matters when notifying law enforcement of an intrusion.”
What to do if you’re a customer: If you have Anthem insurance, there’s not much you can do but sit tight for now. Anthem has set up a website, with information about the hack.
In the next few weeks, Anthem will inform you by mail if your information was compromised. All impacted Anthem customers will receive some form of identity fraud protection, the company said.
E-mail addresses might have been stolen, but Anthem has not indicated that passwords were taken as part of the hack. You might want to consider changing your Anthem password, just to be safe. If you are concerned that your Anthem e-mail and password combination could have also been used to login to another service, you should change those passwords as well.
Attorney General DeWine offered the following tips for consumers affected by a data breach:
- Check your mail. Open letters you receive and look for notifications that you have been affected by a security breach.
- Monitor your bank accounts. Look for suspicious activity, and if you find any errors, immediately notify your bank, or credit or debit card provider.
- Place an initial fraud alert on your credit report. Contact one of the three major credit reporting agencies — Experian, Equifax, or TransUnion — to place an initial fraud alert, which will stay on your credit report for 90 days. The alert is free of charge and will make it more difficult for someone to open credit in your name.
- Consider placing a security freeze on your credit report. A security freeze essentially puts a lock on your credit so that most third parties can’t access your report. This helps protect you from unauthorized accounts being opened in your name. In Ohio, security freezes are permanent until you lift them.
- You can be charged a $5 fee per credit reporting agency to place or remove a freeze. Contact each credit reporting agency separately to place a freeze.
Check your credit report here.
- Beware of scams related to the breach. For example, con artists may pose as a person from the organization that was breached to try to obtain your information. Calls claiming to provide information about the breach may be scams.
- Consumers also should look for signs of possible identity theft, which may include: Unexpected mail, such as a bill for a credit card you never signed up for or a member agreement for a bank you’re not associated with. Credit card charges you never made, unexpected collection calls, credit reporting errors or a lower-than-expected credit score.
All Anthem customers should be on alert for scams. Hackers can use the information stolen from your account to impersonate you or your friends and family.
— CNN’s Simon Prokupecz and David Goldman contributed reporting.