Officials with Anthem Blue Cross Inc. were still determining Thursday how many of its California members may have had personal information compromised by a huge security breach at its parent company.
The insurer, based in Thousand Oaks and owned by Anthem Inc., of Indianapolis, has about 8 million members in the state but the breach may also affect former members, said a company official who declined to be identified. Anthem Blue Cross is California’s largest for-profit health insurer.
The hacked database of Anthem Inc. contained information on 80 million people, making the attack among the largest data breaches in history. By comparison, a breach of Target Corp. in late 2013 compromised credit card information of 40 million customers, while a hack last summer at JPMorgan Chase & Co. left vulnerable names, addresses, phone numbers and email addresses of 83 million account holders.
Anthem Chief Executive Joseph Swedish admitted to the breach late Wednesday following a story published by the Wall Street Journal. Swedish said in a statement that the cyber-attack allowed access to names, birthdays, medical ID numbers, social security numbers, street addresses, email addresses and employment information, including income data.
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” Swedish said in the statement posted at a website set up specifically to address the attack, AnthemFacts.com.
The company is working with the FBI on an investigation into who is behind the attack and hired cybersecurity firm Mandiant to evaluate the information technology system. The Alexandria, Va. firm is a subsidiary of FireEye Inc., in Milpitas.
The Los Angeles Times reported that suspicious activity was first noticed in late January and an internal investigation confirmed the cyberattack. Unauthorized access to the database goes back to Dec. 10, the Times reported.
Security issues over customer data are not new to Anthem.
In 2013, the company, then known as Wellpoint Inc., paid a $1.7 million penalty to settle allegations that it left the health information of more than 600,000 people online from October 2009 to March 2010 because of security weaknesses.
