US health insurer Anthem hacked, exposing up to 80 million records

Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people

Hackers have broken into a database at the second-largest health insurer in the US, which reportedly contains the personal data of up to 80 million customers and employees.

The unencrypted data includes names, dates of birth, addresses, social security numbers, phone numbers and employment history – but not medical or financial information.

Anthem confirmed the breach and said all the company’s business units are affected, but did not specify how many consumer records may have been exposed.

Affiliated brands affected by the breach include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

The insurer said it had reported the attack to the FBI, while cyber security firm FireEye said Anthem had hired it to help investigate the attack, reports The Guardian.

Investigators are still determining the extent of the breach, and Anthem said it would be contacting customers whose personal information may have been stolen, reports the New York Post.

Investigators used the standard description for data breaches of this kind, saying the attack was "very sophisticated" and that attackers used “advanced” custom tools.

Hackers target healthcare firms

Security professionals have identified healthcare companies as prime targets for attackers, due to the quantity and value of the sensitive information those organisations collect.

They warned that stolen information could be used to impersonate the people involved, to commit fraud and other cyber crimes.

“The stolen data is likely to be used as bait for further phishing attacks, especially in emails claiming to be from Anthem or an affiliate company,” said Keith Bird, managing director at Check Point UK.

“Armed with the data they already have, attackers will try to trick those affected by the breach into revealing further details, such as account numbers and passwords.”

Bird warned that phishing emails are the most common means of social engineering attacks, so Anthem customers should be suspicious of any email or phone calls that relate to the breach.

Data spivs

Websense Security Labs has warned that cyber criminals are set to become information dealers in the coming year.

Websense principal security analyst Carl Leonard said criminals will use the sale of credit card numbers to fund the collection of a broader range of data about victims.

“The underground market is flooded with stolen credit card data, but that will help fund the collection of fuller, richer personal information sets about individuals,” Leonard told Computer Weekly.

These datasets will be far more lucrative than credit card details on the underground market and will include details of multiple credit cards, as well as regional, geographic, behavioural and personal data.

Websense expects this emerging trade in datasets on individuals will enable a new level of identity theft to enable fraud.

Hospital data breach

The Anthem breach comes six months after US hospital group Community Health Systems  revealed that hackers gained access to 4.5 million patient records in a cyber attack from April to June 2014.

The attack on the hospital group is believed to have originated in China and enabled the intruders to bypass security measures to steal patients' personal data.

Anthem reportedly discovered the breach last week when a systems administrator caught a database query run under his ID without his knowledge.

The company has been praised for its speedy public disclosure of the breach, in contrast with Home Depot and other US firms breached in recent months that delayed notifying the people who could have been affected.

Some US politicians have used the latest data breach to renew calls on US lawmakers to remove legal barriers to sharing cyber threat information.

Read more on Privacy and data protection