Editor’s note: This story has been updated to include comment from Anthem.
Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history.
The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Anthem said there is no evidence that credit card or medical information was compromised. While damage is still being assessed, the compromised database contained up to 80 million customer records.
It’s not yet clear how many Connecticut residents might be impacted.
“At this time we do not have specific numbers regarding how many Connecticut members may have been affected,” Anthem spokesman Sarah Yeager said in an email at 1 p.m. Thursday. “We take this breach very seriously which is why we are taking the broadest view possible and assuming that the information of any of our members and employees could have been at risk.”
Attorney General George Jepsen sent a letter to Anthem Thursday demanding more information.
“While my office has not received official notification from Anthem as of yet, we became aware of the breach late yesterday afternoon, and I immediately opened an investigation,” Jepsen said. “This morning, I sent a letter to Anthem requesting information about the security measures the company had in place prior to the breach, the circumstances that led to discovery of the breach and the measures Anthem is taking to ensure this sort of attack will not happen again.”
Jepsen and Department of Consumer Protection Commissioner Jonathan Harris are asking state residents to monitor their financial accounts and credit reports for suspicious activity, and to report any they find to attorney.general@ct.gov or 860-808-5318.
Anthem has set up its own website and number for customer questions at www.anthemfacts.com and 877-263-7995.
Formerly known as Wellpoint, Anthem is the second-largest health insurer in the United States. The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink.
Anthem pledged to individually notify current and former customers if their data has been stolen, and by late Wednesday evening, some members reported receiving e-mails from the insurer informing them of the breach. Anthem will offer free credit monitoring and identity protection services to affected customers.
“Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” CEO Joseph Swedish said in a letter to customers.
Anthem said the breach resulted from a “very sophisticated external cyber attack,” and that law enforcement agencies were still working to identify the perpetrator. The company has retained Mandiant, a leading cybersecurity firm, to help in the investigation.
The insurer is the latest in a series of companies to suffer severe data breaches. Last year, hackers obtained credit card data for 40 million Target shoppers, as well as personal information — including names, addresses, phone numbers and e-mail addresses — for 70 million customers.
Records have also been stolen from Neiman Marcus, JPMorgan Chase, Experian, eBay and Home Depot.
The Federal Bureau of investigation said that it was aware of the intrusion, and was investigating the matter. The agency also praised Anthem’s decision to quickly address the breach.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” the FBI said. “Speed matters when notifying law enforcement of an intrusion.”
— CNN’s Simon Prokupecz contributed reporting.
Image credit: freedigitalphotos.net
