Hackers who broke into Anthem's online networks had access to the personal information of 60 million to 70 million of the company's current and former customers and employees, the health insurer told the Wall Street Journal. The entire database contained information on 78.8 million people, and some of the customers listed there were enrolled with Blue Cross and Blue Shield.
Between 8.8 million and 18.8 million non-Anthem customers may have been ensnared in the attack. Anthem, by working with a network of independent BCBS insurers, covers customers who receive medical care when traveling to another part of the U.S., where their BCBS care is controlled by another company, according to NBC News. Customers enrolled with Empire, Independence Blue Cross Health and other smaller, independent insurers enrolled with BCBS insurers may have had their information stolen, for example.
An Anthem spokeswoman reiterated to the Journal Tuesday that the company hasn't found any evidence that the stolen information -- names, birthdays, Social Security numbers -- is being sold on the Internet black market. The database contains personal information dating back to 2004, with the company explaining in a Securities and Exchange Commission filing that lawsuits seeking damages from the hack have been “filed in court in many states.”
It was previously reported that Anthem left its customers' health insurance unencrypted for the sake of speed and convenience.
The details Tuesday are among the first that Anthem has made public since revealing on Feb. 5 that it was victimized in the largest ever cyberattack on an American health insurance company. The breach was discovered when an employee noticed that another user was using his credentials to scour the Anthem database. The FBI and the cybersecurity firm Mandiant traced the infiltration to a cloud service outside the company, with sources close to the investigation suggesting the hack had signs of Chinese involvement.
Anthem will continue alerting customers whose information may have been compromised, the company said.
Correction Feb. 27: An initial version of this story erroneously reported that "Independent Health" customer information might be at risk. The correct name of the company is "Independence Blue Cross." That change is now reflected in the above article.