Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history.
The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Anthem said there is no evidence that credit card or medical information was compromised. While damage is still being assessed, the compromised database contained up to 80 million customer records.
Formerly known as Wellpoint, Anthem is the second-largest health insurer in the United States. The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink.
Anthem pledged to individually notify current and former customers if their data has been stolen, and by late Wednesday evening, some members reported receiving e-mails from the insurer informing them of the breach. Anthem will offer free credit monitoring and identity protection services to affected customers.
“Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” CEO Joseph Swedish said in a letter to customers.
Anthem said the breach resulted from a “very sophisticated external cyber attack,” and that law enforcement agencies were still working to identify the perpetrator. The company has retained Mandiant, a leading cybersecurity firm, to help in the investigation.
The insurer is the latest in a series of companies to suffer severe data breaches. Last year, hackers obtained credit card data for 40 million Target shoppers, as well as personal information — including names, addresses, phone numbers and e-mail addresses — for 70 million customers.
Records have also been stolen from Neiman Marcus, JPMorgan Chase, Experian, eBay and Home Depot.
The Federal Bureau of investigation said that it was aware of the intrusion, and was investigating the matter. The agency also praised Anthem’s decision to quickly address the breach.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” the FBI said. “Speed matters when notifying law enforcement of an intrusion.”
What to do if you’re a customer: If you have Anthem insurance, there’s not much you can do but sit tight for now. Anthem has set up a website, anthemfacts.com, with information about the hack.
In the next few weeks, Anthem will inform you by mail if your information was compromised. All impacted Anthem customers will receive some form of identity fraud protection, the company said.
E-mail addresses might have been stolen, but Anthem has not indicated that passwords were taken as part of the hack. You might want to consider changing your Anthem password, just to be safe. If you are concerned that your Anthem e-mail and password combination could have also been used to login to another service, you should change those passwords as well.
All Anthem customers should be on alert for scams. Hackers can use the information stolen from your account to impersonate you or your friends and family.
— CNN’s Simon Prokupecz and David Goldman contributed reporting.