UPDATE 3-US health insurer Anthem hit by massive cybersecurity breach – Reuters
(Adds details, background, quotes from FireEye and
By Supriya Kurane and Jim Finkle
Feb 4 (Reuters) – Hackers have stolen personal information
relating to current and former customers and staff of no. 2 U.S.
health insurer Anthem Inc., after breaching an IT
system containing data on up to 80 million people, the company
said late on Wednesday.
Anthem, which has nearly 40 million customers in the United
States, said it had reported the attack to the FBI and
cybersecurity firm FireEye Inc. said it had been hired to help
Anthem investigate the attack.
“We do confirm that this was done by an advanced group using
custom malware,” said FireEye spokesman Vitor De Souza, noting
that Anthem employees identified the breach, which was limited
to a window of a few days.
“We know across the board that when you do see something,
you need to act fast”, which Anthem appears to have done, De
Anthem said in a statement that names, birthdays, social
security numbers, street addresses, email addresses and
employment information, including income data, had been accessed
in what it described as a “very sophisticated attack”.
The breach did not appear to involve medical information or
financial details such as credit card or bank account numbers,
Anthem said, adding it immediately made every effort to close
the security vulnerability, which was discovered last week.
FireEye’s De Souza said the breached database contained
information from about 80 million individuals, but the extent of
stolen data is still unknown, as are the perpetrators and method
of the cyberattack.
“That information is a treasure trove for cybercriminals. It
can easily be sold on underground markets within hours and used
for a wide variety of identity fraud schemes,” said Stuart
McClure, chief executive of cybersecurity firm Cylance Inc.
Cybersecurity has become a major concern both for U.S. firms
facing a barrage of attacks as well as insurers trying to figure
out how much of that risk they can afford to underwrite.
A high-profile attack against Sony Pictures Entertainment
late last year brought the company headlines for
everything from pay disparities among its employees to internal
critiques about the studio’s own movies.
Other attacks have spooked consumers, with retailers Target
and Home Depot both reporting the theft of such
personal data as credit card numbers in recent years.
President Barack Obama’s recently proposed fiscal 2016
budget sets aside $14 billion to strengthen U.S. cybersecurity
defenses, an increase of 10 percent.
Cylance’s McClure, who has helped healthcare companies
respond to previous breaches, said it typically costs health
insurers at least $100 per stolen record to clean up this type
of cyberattack. If 10 million records were stolen, the costs to
respond would likely top $1 billion, he said.
That includes costs for setting up a hotline to answer
customer questions, providing credit monitoring services and
meeting state and federal government disclosure requirements.
Security experts say cybercriminals are increasingly
targeting the $3 trillion U.S. healthcare industry, which has
many companies still reliant on aging computer systems that do
not use the latest security features.
One of the largest U.S. hospital operators, Community Health
Systems Inc, last year said Chinese hackers had broken into its
computer network and stolen the information of 4.5 million
The percentage of healthcare organizations that have
reported a criminal attack rose to 40 percent in 2013 from 20
percent in 2009, according to an annual survey by the Ponemon
Institute think-tank on data protection policy.
Anthem spokeswoman Kristin Binns said the company has
doubled its spending on cybersecurity over the past four years.
The health insurer had 37.5 million medical members as of the
end of December.
“This attack is another reminder of the persistent threats
we face, and the need for Congress to take aggressive action to
remove legal barriers for sharing cyber threat information,”
U.S. Rep. Michael McCaul, a Republican from Texas and chairman
of the Committee on Homeland Security, said in a statement late
Medical identity theft is often not immediately identified
by patients or their provider, giving criminals years to milk
such credentials. That makes medical data more valuable than
credit cards, which tend to be quickly canceled by banks once
fraud is detected.
Anthem said it would send a letter and email to everyone
whose information was stored in the hacked database. It also set
up an informational website, www.anthemfacts.com, and will offer
to provide a credit-monitoring service.
(Reporting by Supriya Kurane in Bengaluru, Jim Finkle in Boston
and Deena Beasley in Los Angeles; Editing by Ken Wills and Alex