Hackers were successful in accessing the records of millions ofcurrent and former customers, as well as employees of Anthem Inc.,the second largest health insurer in the U.S. The sophisticatedattack involved a customized software program which captured asmany as 80 million records including social security numbers,medical IDs, birthdates, street addresses, email addresses,employment information and even income data.

Anthem President andCEO Joseph Swedish told members in a letter that "based on what weknow now, there is no evidence that credit card or medicalinformation, such as claims, test results or diagnostic codes weretargeted or compromised."

The company discovered the attack on January 29, immediatelycontacted the Federal Bureau of Investigation and continues toassist in their investigation. Anthem has also retainedcybersecurity firm Mandiant to work with them on identifying thevulnerabilities in their system that led to the breach. The companyhas handled high-profile breaches for Sony Pictures Entertainmentand JPMorgan Chase & Co.

At a conference last week in New York City for thebusiness law section of the New York Bar Association, a panel ofexperts highlighted the risks for today's businesses and none areimmune to hackers. With an average of 1.7 million attacks onbusinesses each week, it is not a matter of if a companywill be hacked, but when.

Yanai Siegel with Shafer Glazer LLP told the audience, "In theevent of a data breach, your computer system becomes a crime scene.Preserve the evidence for IT forensics, so any recourse andprosecution options remain available." Anthem's decisions to notifythe FBI and bring in a cybersecurity firm are key steps for anycompany whose records have been breached.

Siegel describes personal information like social securitynumbers and email addresses as "toxic waste." He advised firms to"check your statutes and regulations to find out what is on thehazardous materials list, and then find out if you are keeping anyand where you're keeping it on your computer system."

Stolen social security numbers are particularly vulnerablebecause they can be used with any name or birthdate to open creditcards; apply for jobs, mortgages or rental properties; purchasecars; obtain medical care or event government services.

"Given the reported size and, more importantly, the extent(covering all business lines) it seems clear this was more than oneserver or database," said Winston Krone, managing director of KivuConsulting. "We may find that, like Sony, the hackers had time tonavigate round the network (and sub-networks), possibly jumpingbetween units. Consumers should assume nothing until the extent ofthe breach becomes clearer as the press releases today will beupdated. The size will grow and it will be very likely that medicalrecords have been [affected]. The question will be whether suchadditional compromise is limited to specific business units ofAnthem."  

Anthem has set up a toll-free number for members to call withany questions: 1-877-263-7995. There is also a dedicated websitewith information: www.AnthemFacts.com.

The company will be contacting all individuals whose informationwas compromised and offer free credit monitoring and identityprotection services. Swedish apologized for what had transpired andassured members and employees that the company would work toimprove their systems and security processes.

Krone offers this advice for all insurers concerning theprotection of customers' information. "Other insurers need to lookat their entire networks which have grown with mergers andacquisitions, often without central security oversight andplanning. One poorly protected network added to a largerorganization will be the weak link in the chain. This may have beenthe cause of the Anthem breach."