Five things to know about the Anthem hack

The cyberattack on Anthem, a national health insurer, is the latest and largest customer data breach to make headlines. Here are five questions and answers about the hack.

On Wednesday, the nation’s second-largest health insurer, Anthem, said that it had been the target of a massive, “very sophisticated external cyberattack,” The New York Times reported.

Tens of millions of records about Anthem’s customers and employees – including chief executive Joseph R. Swedish – were stolen in what could be the largest ever data breach both of a health care company and of customer information, according to the Times.

Here are five questions, answered about the historic hack:

What is Anthem?

Anthem Inc. is a national health insurer that operates health plans in 14 states, including California and New York, under brands such as Anthem Blue Cross, Anthem Blue Cross and Blue Shield, and Empire Blue Cross and Blue Shield. Based in Indianapolis, Anthem was previously known as WellPoint Inc. and was formed when the Anthem Insurance Company acquired WellPoint Health Networks in 2004.

What exactly was stolen – and what wasn’t?

While the full scope of the breach is still being determined, Anthem puts the number of affected customers and employees at about 80 million, according to The Wall Street Journal, which first reported the attack. The stolen information includes names, birth dates, street and email addresses, medical IDs, Social Security numbers, and employment information, including income data.

As far as the company can tell, no credit card or medical information – such as claims, test, results, or diagnostic codes – has been compromised.

What could hackers do with the data?

The black market for these types of information is incredibly lucrative, regardless of whether hacked data includes financial details, according to a report by the RAND Corporation, a nonprofit research group. Stolen information is sold via forums, chat rooms, and online stores to the highest bidder, the report found.

The price of a name or email address ranges from fractions of a cent to about $1, depending on how reliable or fresh the data is, according to an article on security breaches on tech news site CIO.

“That may not sound like a windfall,” CIO reported, “but when you multiply it by millions of records, it quickly adds up. Take the [2012] Zappos breach as an example: If hackers in fact obtained data on 24 million customers, even if they sell only 5 million email addresses at five cents a pop – cha-ching – they've just made $250,000 off of one hack.”

Anthem said there's no evidence that the data have hit the black market. 

What’s the company doing to fix it?

Anthem, which itself detected the breach on Jan. 29, has since started working with the Federal Bureau of Investigation to look into the attack, and hired cybersecurity firm Mandiant to evaluate and improve its computer systems.

The health insurer has also set up a website, www.AnthemFacts.com, and a toll-free number, 1-877-263-7995, for current and former customers to reach for questions or concerns.

“I want to personally apologize to each of you for what happened,” Mr. Swedish said in a statement on the Anthem Facts site. “I assure you that we are working around the clock to do everything we can to further secure your data.”

How can I protect myself?

While there’s no real way to protect information we hand over to others, there are steps we can take to improve our personal cybersecurity. Most of them are basic measures many of us take for granted: Verifying Wi-Fi hotspots and avoiding logging on to banking or financial sites when on a public network could save you a lot of trouble later on, according to Forbes tech writer Amadou Diallo.

The FBI’s Cyber Division also recommends the following: Keep your firewall turned on, install and update antivirus software and anti-spyware technology, keep your operating system up-to-date, and turn off your computer when it's not in use.