A pedestrian walks past the corporate headquarters of health insurer Anthem in Indianapolis. (AP Photo/Darron Cummings)

Hackers were successful in accessing the records of millions of current and former customers, as well as employees of Anthem Inc., the second largest health insurer in the U.S. The sophisticated attack involved a customized software program which captured as many as 80 million records including social security numbers, medical IDs, birthdates, street addresses, email addresses, employment information and even income data.

Anthem President and CEO Joseph Swedish told members in a letter that “based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”

The company discovered the attack on January 29, immediately contacted the Federal Bureau of Investigation and continues to assist in their investigation. Anthem has also retained cybersecurity firm Mandiant to work with them on identifying the vulnerabilities in their system that led to the breach. The company has handled high-profile breaches for Sony Pictures Entertainment and JPMorgan Chase & Co.

At a conference last week in New York City for the business law section of the New York Bar Association, a panel of experts highlighted the risks for today’s businesses and none are immune to hackers. With an average of 1.7 million attacks on businesses each week, it is not a matter of if a company will be hacked, but when.

Yanai Siegel with Shafer Glazer LLP told the audience, “In the event of a data breach, your computer system becomes a crime scene. Preserve the evidence for IT forensics, so any recourse and prosecution options remain available.” Anthem’s decisions to notify the FBI and bring in a cybersecurity firm are key steps for any company whose records have been breached.

Siegel describes personal information like social security numbers and email addresses as “toxic waste.” He advised firms to “check your statutes and regulations to find out what is on the hazardous materials list, and then find out if you are keeping any and where you’re keeping it on your computer system.”

Stolen social security numbers are particularly vulnerable because they can be used with any name or birthdate to open credit cards; apply for jobs, mortgages or rental properties; purchase cars; obtain medical care or event government services.

“Given the reported size and, more importantly, the extent (covering all business lines) it seems clear this was more than one server or database,” said Winston Krone, managing director of Kivu Consulting. “We may find that, like Sony, the hackers had time to navigate round the network (and sub-networks), possibly jumping between units. Consumers should assume nothing until the extent of the breach becomes clearer as the press releases today will be updated. The size will grow and it will be very likely that medical records have been [affected]. The question will be whether such additional compromise is limited to specific business units of Anthem.”  

Anthem has set up a toll-free number for members to call with any questions: 1-877-263-7995. There is also a dedicated website with information: www.AnthemFacts.com.

The company will be contacting all individuals whose information was compromised and offer free credit monitoring and identity protection services. Swedish apologized for what had transpired and assured members and employees that the company would work to improve their systems and security processes.

Krone offers this advice for all insurers concerning the protection of customers’ information. “Other insurers need to look at their entire networks which have grown with mergers and acquisitions, often without central security oversight and planning. One poorly protected network added to a larger organization will be the weak link in the chain. This may have been the cause of the Anthem breach.”