The hackers gained access to up to 80 million records that included Social Security numbers, birthdays, addresses, email, and employment information and income data for customers and employees, including its own chief executive.

Share story

The cyberattack on health insurer Anthem points to the vulnerability of health-care companies, which security specialists say lag behind other industries in protecting sensitive personal information.

Experts said the information was vulnerable because Anthem did not take steps, such as protecting the data in its computers though encryption, in the same way it protected medical information that was sent or shared outside the database.

The hackers gained access to up to 80 million records that included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees, including its own chief executive.

Anthem officials say they do not know who is behind the attack, but several security consultants have noted that in the past, Chinese hackers have shown an interest in going after health-care companies.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

A securities-industry consultant who requested anonymity said there were suspicions the hackers might have been working with the backing of a foreign government, or with people with ties to a foreign government.

The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee.

“This is one of the worst breaches I have ever seen,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group. “These people knew what they were doing and recognized there was a treasure trove here, and I think they are going to use it to engage in very sophisticated kinds of identity theft.”

Anthem officials became aware of the breach when one of their senior administrators noticed someone was using his identity to request information from the database.

The request — or query — by the hackers appears so far to have been for financial information only. Anthem officials say that medical information in insurance claims shared with doctors and hospitals — such as whether a customer was treated for substance abuse, for example — does not appear to have been taken in the attack.

“We’re positive that the rogue query did not have medical data in it,” said Thomas Miller, Anthem’s chief information officer. The people who gained access to the database “consciously selected what they selected.”

The insurer, along with federal investigators and security experts from FireEye’s Mandiant division, is trying to determine whether there were other requests that it did not detect, a process that could take several more weeks.

California’s insurance commissioner said he and other regulators will examine whether the Indianapolis-based company is doing enough to prevent future breaches.

The federal government had put Anthem on notice in 2013 about its computer vulnerabilities, and last year the FBI warned health-care companies about the growing threat of cyberattack on the industry.

“The ability of health-care companies to compile data has grown far faster than their ability to protect it,” said Alan Sager, a health-policy professor at Boston University. “For too many organizations, it’s more about maximizing revenue, while protecting patient confidentiality ranks at the bottom.”

Miller said Anthem and other health-care companies had become increasingly aware of the criminal value of the information they have, in light of the large cyberattacks against financial-service companies such as JPMorgan Chase or retailers such as Target.

Anthem has more than 37 million members in California and 13 other states, but not Washington. But the company warned that it also had information in its database on other Blue Cross Blue Shield patients from all 50 states who had sought care in its coverage area. It operates health plans under numerous brands, including Anthem Blue Cross, Anthem Blue Cross/Blue Shield, Blue Cross and Blue Shield of Georgia and Empire Blue Cross Blue Shield.

While experts like Stephens said the hackers might not have been particularly interested in the medical information available in Anthem’s database, the company’s decision to make the breach public quickly means it is early in the investigation into exactly what happened and what information may have been compromised.

“You can spend months doing the forensics,” said Fred Cate, a law professor and cybersecurity expert at Indiana University.

While he praised Anthem for taking the “unusual and quite laudable step in coming forward quite quickly,” he cautioned that company officials might not know the scope of the attack at this point. Still, Cate said the medical information was not likely to result in the public unveiling of sensitive medical information, unlike smaller attacks aimed at finding something embarrassing or derogatory about an executive or celebrity. “As a general matter, huge breaches often result in less harm than targeted breaches,” he said. “The notion that someone’s poring over this data is highly unlikely.”

Anthem’s fundamental mistake was to assume that information within its database was secure, said John Kindervag, an analyst with Forrester Research, and thus not apply the same protective standards the company uses when sending data to a doctor’s office. “All cybercrime is an inside job,” he said, because the criminals are able to penetrate a database from the outside and act as an insider in gaining access to data, which is what occurred in the Anthem breach.

Current federal privacy regulations, and the industry standard, call for encrypting information that is being sent from the database. Health-insurance companies frequently share information with doctors, hospitals and others. In fact, the sharing of medical records is encouraged by the federal government.

While the health industry has not previously experienced the large-scale breaches that have plagued retailers such as Target and Home Depot, there have been smaller attacks. Statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services say there have been 740 major health-care breaches affecting 29 million people in the past five years.

Anthem established a website, www.anthemfacts.com, where members can learn more about the situation and a hotline at 877-263-7995.