Anthem Inc, the nation’s second-largest health insurance company, says hackers stole tens of millions of Social Security numbers, birth dates, addresses and names from a database that contains personal information of 80 million people.
Anthem says it's unsure how many records were stolen in the hack, which it discovered last week. A company spokesperson told the Wall Street Journal Wednesday that it did not appear that medical data or financial information, like credit cards or bank account numbers, were taken.
Anthem offers plans such as Blue Cross Blue Shield to about 37.5 million people in 14 states, including New York and California. The company told the Journal that the data had not yet appeared on the black market, but it did not yet know how hackers were able to access its database.
The company said, in a statement, that it was reaching out to each employee and customer whose data was stored in the affected database by mail, and will offer them a free credit-monitoring service. It has also set up a website providing information about the attack. The FBI, along with cybersecurity firm Mandiant, is investigating the hacking attack.
Anthem discovered the security breach last week when an employee noticed someone was searching a database using his credentials. Investigators tracked the data to a cloud service outside of the company, where they were able to lock it down, Anthem says, although it doesn’t know if hackers had already copied the data or moved it elsewhere.
"I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information," CEO Joseph Swedish said in a statement to those affected by the hack. "We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."
The attack was the latest in a series of large-scale hacks targeting big companies like Home Depot, Experian, Adobe and eBay. The federal government’s Healthcare.gov website was also breached last year, but it says no personal data were taken in the attack.