As many as 80 million customers of US health insurer, Anthem, have had their personal information stolen.
The sophisticated hacking attack, thought to be one of the largest ever breaches of health information security in US healthcare, was confirmed by Anthem last week.
In an advisory on the breach, Anthem says that it has contacted the FBI. Anthem is the second-largest health insurance company in the US and has customers in 14 states.
The affected database had records for approximately 80 million people in it. The breach is known to have affected tens of millions of these records.
Hackers breached Anthem's computer systems and got information including names, birthdays, medical IDs, Social Security numbers, and personal demographics, employment and income data.
Anthem says that no medical data has been stolen, meaning that the breach would not be covered by US HIPAA medical data security regulations, but the personal data taken would facilitate medical fraud or identity theft.
"Anthem was the target of a very sophisticated external cyber attack," Anthem president and CEO Joseph Swedish said in a statement.
On the advisory website Swedish said the records of Anthem staff, including his own, had been breached, and said in a statement to members:
“I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information.”
Anthem identified the attack partly because it had been sharing so-called ‘indicators of compromise’ — internet addresses, malware signatures and other information associated with the breach – with other healthcare providers, working through the Health Information Trust Alliance or HITRUST.
“It was quickly determined that the indicators of compromise were not found by other organisations across the industry and this attack was targeted a specific organization,” HITRUST wrote in its alert.
In the UK the Health and Social Care Information Centre is believed to be working with dozens of NHS trust on simulated hacking attacks to help them test their cyber-security and ability to defend against hacking attacks.