Skip to content ↓ | Skip to navigation ↓

Anthem, the second largest health insurer in the United States, has admitted that hackers broke into its servers and accessed databases containing sensitive customer information.

According to a statement issued by Anthem, who were formerly known as Wellpoint, both current and former customers are at risk after the hackers managed to gain access to systems containing names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information. Income data of customers was also exposed to the hackers.

As is the norm these days, the company describes the hack as “very sophisticated”. No-one, after all, likes to admit that a security breach was plain and ordinary – as that would look like they were caught napping.

Anthem statement

Anthem says that it has made attempts to close down the vulnerability (details of which are currently undisclosed) through which the hackers managed to gain access, and called in law enforcement and security specialists to help them investigate the breach.

Fortunately, there is no evidence at the moment that payment card information or medical data (such as claims or test results) were compromised. Nonetheless, it seems possible that the personal information of tens of millions of Americans have fallen into the hands of criminals, who could now exploit the details for their own gain.

It appears that amongst the victims of the hack are employees of the health insurer, including Anthem’s President and CEO, Joseph R Swedish, as he explained in a statement about the breach:

“Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”

The following plans are said to be affected:

  • Anthem Blue Cross
  • Anthem Blue Cross and Blue Shield
  • Blue Cross and Blue Shield of Georgia
  • Empire Blue Cross and Blue Shield
  • Amerigroup
  • Caremore
  • Unicare
  • Healthlink
  • DeCare

Anthem has put together an online FAQ for concerned customers, and says it will contact those affected by the security breach in the coming weeks via mail.

In addition, they have made a toll-free number available for current and former members to call if they have any questions (1-877-263-7995).

Anthem website

I’m pleased to see Anthem publishing information about the security breach online, and I’m sure customers will be grateful that the company has not tried to hide away the news, but is at least trying to alert visitors to its website at anthem.com that there has been a serious incident.

But what’s really necessary is for companies and organisations to do a better job at protecting our personal information. Too many firms who are entrusted with data from the general public are finding themselves in the uncomfortable position of admitting that they have been hacked. Consumers deserve better than this, and need to feel as though organisations are as good as their word and doing everything possible to minimise the potential for an attack to succeed.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.

Hacking Point of Sale
  • Vito

    This is a security disaster that is likely to create problems it will take years to solve. Social security number and date of birth are all that is necessary for a bad guy to do huge damage via identity theft. It happened to me, and it took several years to clean up the mess.

    The whole thing is due to the presumption that a federally issued social security number is a good way for businesses to identify their customers. It's no such thing . When you think it through, using such standardized information for universal identification purposes is just exactly as stupid as using the same password for multiple websites. There is no difference in principle.

    Social security numbers are issued by the Feds and should be used only by the Feds. Let Anthem and other businesses come up with their own way of identifying their customers. Leave the damned social security numbers alone. In that way, invasions like this one can do only very limited damage to customers.

    Being forced to have a social security number is bad enough in the first place. It should be usable ONLY with the Feds, and nowhere else.