Dive Brief:
- As many as 80 million current and former customers of Anthem Inc. have had their personal data stolen in an attack that is likely "the largest healthcare breach to date," according to a spokesman for Anthem's security company Mandiant.
- Hackers accessed a database that included names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and income data. No medical information appears to have been stolen, so Anthem likely will not face sanctions under HIPAA.
- Anthem, which characterized the attack as "very sophisticated," discovered the attack last week and is working with the FBI's investigation.
Dive Insight:
The impacted database held the information for 80 million, but the actual figure is probably substantially less. "[W]e are still investigating to determine how many were impacted," said Anthem spokeswoman Cindy Wakefield. "At this point we believe it was tens of millions."
That figure is still in another stratosphere compared to the previous record-holder for the largest healthcare breach: Community Health Systems announced in August that it had been the victim of a massive theft of the personal data of 4.5 million people. The hack likely occurred in April or June of last year and included patient names, addresses, social security numbers and other HIPAA-protected data.
CHS employed the same security contractor, Mandiant, who at the time said it believed that the hack had originated in China. According to the company, the federal government says that these kinds of attacks are usually geared toward the theft of intellectual property, like medical device and equipment development information. In this case, hackers appear to have been targeting the personally-identifiable information that they got—although Anthem has said that no credit card information was compromised. What they were likely not interested in was medical information, according to Tim Eades, CEO of CA-based computer security firm vArmour.
"The personally identifiable information they got is a lot more valuable than the fact that I stubbed my toe yesterday and broke it," Eades said. So at least Joe Swedish can breathe easy about HIPAA fines.