Personal information belonging to least 300,000 Maine residents is at risk after hackers launched a massive cyberattack on health insurer Anthem Inc., breaching a database containing data on up to 80 million people, according to the company.
Anthem disclosed the attack late Wednesday, saying it suspected hackers had stolen information belonging to tens of millions of current and former customers as well as employees.
Several states are investigating the attack, which is being looked at for possible ties to China, according to a source familiar with the probe.
Anthem said in a statement that names, birthdays, Social Security numbers, street addresses, email addresses and employment information, including income data, had been accessed in what it described as a “very sophisticated attack.”
Anthem is Maine’s largest private health insurer, with about 312,000 members across the state. The company provides coverage to small and large businesses in Maine, as well as to individuals.
Rory Sheehan, a spokesman for Anthem in Maine, could not provide an estimate on the number of Mainers potentially affected by the breach, including past customers. Both primary policyholders and family members covered through Anthem plans could be affected, he said.
The insurer employs more than 800 workers at its office in South Portland, Sheehan said.
“Initial analysis indicates this was a sophisticated attack which allowed the attackers to have access to information on tens of millions of consumers across all of our affiliated plans,” Sheehan said in a statement. “While we do not have specific numbers at this time, we are taking the broadest view possible and assuming that any of our members or employees could have been at risk. That is why we have already begun the process of notifying current and former members about the attack.”
Anthem, the nation’s second-largest health insurer with nearly 40 million customers, said it reported the attack to the FBI, and cybersecurity firm FireEye Inc. said it had been hired to help Anthem investigate the attack.
The breach did not appear to involve medical information or financial details such as credit card or bank account numbers, Anthem said, adding it immediately made every effort to close the security vulnerability, which was discovered last week.
“Although it’s unknown whether Maine consumers will be impacted by the Anthem data breach, I encourage people to closely monitor medical and financial records for evidence of identity theft,” Gov. Paul LePage said in a news release. “State and federal laws protect consumers from the effects of identity theft. The staff at Maine’s Department of Professional and Financial Regulation is available to provide specific information.”
Bloomberg News and the Wall Street Journal reported on Thursday that investigators had uncovered evidence that Chinese state-sponsored hackers were behind the attack, citing unnamed sources.
A source familiar with the probe told Reuters that a connection to China was being looked at.
The Wall Street Journal said people close to the investigation say some tools and techniques used against Anthem were similar to ones used in previous attacks linked to China.
“We do confirm that this was done by an advanced group using custom malware,” said FireEye spokesman Vitor De Souza, noting that Anthem employees identified the breach, which was limited to a window of a few days.
“We know across the board that when you do see something, you need to act fast,” which Anthem appears to have done, De Souza said.
De Souza said the breached database contained information from about 80 million individuals, but the extent of stolen data is still unknown, as are the perpetrators and method of the cyberattack.
“That information is a treasure trove for cybercriminals. It can easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes,” said Stuart McClure, chief executive of cybersecurity firm Cylance Inc.
Anthem’s data breach comes at a critical time, just days ahead of a Feb. 15 deadline for consumers to enroll in health insurance under the Affordable Care Act for coverage in 2015. Anthem is one of three health insurers selling plans to Maine residents through Healthcare.gov, the federal insurance marketplace set up under the health reform law.
Cybersecurity has become a major concern both for U.S. firms facing a barrage of attacks as well as insurers trying to figure out how much of that risk they can afford to underwrite.
A high-profile attack against Sony Pictures Entertainment late last year brought the company headlines for everything from pay disparities among its employees to internal critiques about the studio’s own movies.
Other attacks have spooked consumers, with retailers Target and Home Depot both reporting the theft of such personal data as credit card numbers in recent years.
President Barack Obama’s recently proposed fiscal 2016 budget sets aside $14 billion to strengthen U.S. cybersecurity defenses, an increase of 10 percent.
Cylance’s McClure, who has helped health care companies respond to previous breaches, said it typically costs health insurers at least $100 per stolen record to clean up this type of cyberattack. If 10 million records were stolen, the costs to respond would likely top $1 billion, he said.
That includes costs for setting up a hotline to answer customer questions, providing credit monitoring services and meeting state and federal government disclosure requirements.
Security experts say cybercriminals are increasingly targeting the $3 trillion U.S. health care industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
One of the largest U.S. hospital operators, Community Health Systems Inc., said last year that Chinese hackers had broken into its computer network and stolen the information of 4.5 million patients.
The percentage of health care organizations that have reported a criminal attack rose to 40 percent in 2013 from 20 percent in 2009, according to an annual survey by the Ponemon Institute think-tank on data protection policy.
Anthem spokeswoman Kristin Binns said the company has doubled its spending on cybersecurity over the past four years. The health insurer had 37.5 million medical members as of the end of December.
“This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information,” U.S. Rep. Michael McCaul, a Republican from Texas and chairman of the Committee on Homeland Security, said in a statement late Wednesday.
U.S. Senator Angus King, a member of the Senate Intelligence Committee, commended Anthem for being forthcoming about the breach, but he called on Congress to enact legislation to improve information sharing between the government and private businesses.
“How many cyberattacks do we have to endure, how many Americans have to be put at risk, before Congress takes action on this incredibly pressing and serious issue?” he said in a statement.
Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Anthem said it would send a letter and email to everyone whose information was stored in the hacked database. It also set up an informational website, www.anthemfacts.com, and will offer to provide a credit-monitoring service. Consumers may call a dedicated toll-free number with questions related to the incident at 877-263-7995.
Bangor Daily News Health Editor Jackie Farwell contributed to this report.