In what may turn out to be the largest breach of healthcare data in history, health insurer Anthem Inc. reported on February 4, 2015, that its computer systems had been targeted in a “very sophisticated external cyber attack.” The potential exposure is estimated at nearly 80 million Anthem customers - a number that dwarfs the prior record-holder for accounts breached held by Community Health Systems of Tennessee (CHS). The CHS breach of 2014, an attack that originated in China, affected patient information belonging to 4.5 million patients.
While the source of the attack is still unclear, Anthem reports that all of its product lines were impacted, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Empire Blue Cross, Unicare and others.
In an email the company said:
Anthem Blue Cross was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information (such as claims, text results or diagnostic codes) were targeted or compromised.
Anthem is now cooperating with the FBI’s investigation of the incident and has retained cyber security firm Mendiant to evaluate their systems. While the investigation is ongoing, Anthem is conducting an internal audit to determine which customers have been affected. The company indicates that all impacted Anthem members (or former members) will be notified by mail and that the company will provide credit monitoring and identity protection services free of charge.
This incident serves as a glaring example of the need for constant vigilance of corporate IT systems, particularly in those sectors that maintain data subject to HIPAA and HITECH. Given the potential legal liability for non-compliance, and the increased focus on enforcement seen in the last several years, companies must count data security as among their highest priorities.