Anthem, one of the largest U.S. health insurers, said Wednesday one of its IT systems was breached, resulting in the loss of customer and employee information including income data.
The insurer, which set up a special webpage on Wednesday addressing the breach, said it will still assessing the impact of the attack.
Anthem’s breach could be one of the largest affecting a health care provider and adds to a growing list of large companies who have suffered expensive and damaging data breaches over the last year, including Sony Pictures Entertainment and Home Depot.
Anthem has 37.5 million subscribers for its health plans, and more than 68 million people are served by its affiliated companies under the brands Blue Cross and Blue Shield, Empire Blue Cross, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
The FBI has been notified. Anthem said it has also hired Mandiant, the computer forensics unit of FireEye, to investigate the breach. The attackers have not been identified yet.
Anthem CEO and President Joseph R. Swedish described the breach as a “very sophisticated external cyber attack.” He wrote that his own information was accessed as well.
“We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” Swedish wrote.
The stolen data includes names, birth dates, Social Security numbers, addresses, phone numbers, email addresses and member IDs, Anthem said. It also includes employment information and income levels.
No medical data, such as diagnosis or treatment information, or credit card data was exposed, Anthem said. Affected members will be contacted through the mail.
After stealing such information, hackers often bundle it up and sell it on underground forums to other cybercriminals, who could try to use it in a variety of identity-related scams, such as ordering credit cards or taking out loans.
Anthem officials reached Wednesday night did not have further information to share.