The massive computer breach against Anthem, the nation’s second-largest health insurer, exposes a growing cyberthreat facing health-care companies that experts say are often unprepared for large attacks.
Hackers gained access to the private data of 80 million former and current members and employees of Anthem in one of the largest medical-related cyber-intrusions in history.
Authorities said the breach, which was discovered late last month and disclosed this week, did not involve private health records or credit card numbers but did expose Social Security numbers, income data, birthdays, and street and e-mail addresses.
Investigators suspect Chinese hackers may be responsible for the breach, according to a person briefed on some aspects of the probe. There are also some indications that other health-care companies may have been targeted, said the individual, who spoke on the condition of anonymity to discuss the ongoing investigation.
Security experts said health care has become one of the ripest targets for hackers because of its vast stores of lucrative financial and medical information. Health insurers and hospitals, they added, have often struggled to mount the kinds of defenses used by large financial or retail companies, leaving key medical information vulnerable.
While medical records, such as treatment details or test results, were not compromised in what Anthem called “a very sophisticated attack,” experts say the breach underlines the worrying potential for hackers to steal private health data that is valued on the black market as tools for extortion, fraud or identity theft. Medical information could be exploited, for example, to file false insurance claims and buy prescription drugs, and attackers could extort cash from policyholders desperate to keep their private medical data under wraps.
“Health-care records are the new credit cards,” said Ben Johnson, chief security strategist at cybersecurity firm Bit9 + Carbon Black. “If someone gets your credit card number, you cancel it. If you have HIV, and that gets out, there’s no getting that back.”
Anthem, formerly known as WellPoint, covers 1 in 9 Americans through its affiliate health plans, including under the Blue Cross Blue Shield brands. The breach has “definite potential to be the largest” hack of a health-care organization, although it is too early in the investigation to say definitively, said Vitor De Souza, a spokesman for FireEye, which owns the company now helping with Anthem’s security.
The data breach could affect individual policyholders as well as those enrolled in managed-care plans through Medicaid. Anthem’s chief executive, Joseph R. Swedish, was among those to have their personal data exposed. Anthem said it will notify current and former members whose information was breached, as well as provide free credit-monitoring and identity-protection services.