Anthem Inc. Reeling After Behemoth 80M-Record HIPAA Breach

The Nation’s second largest health insurance provider, Anthem Inc, has been the target of a highly sophisticated cyberattack which has resulted in the theft of 78.8 million records, making this the largest ever data breach to affect the healthcare industry.

The data breach is on a par with the Target data breaches of 2013 and 2014 which exposed a total of 110 Million confidential customer records and eclipses the Tricare Management Activity Data breach of 4.9 Million records in 2009 and the 1.9 million record breach of Health Net Inc. in 2011.

The attack has reportedly exposed personal information including names, dates of birth, addresses and email addresses, along with Social Security numbers, Medical IDs, some income data and employment information, although no health data is believed to have been exposed and no credit card numbers were stored with the compromised data. Both employees and health plan members have been affected.

The insurer discovered the data breach last week and notified the FBI of the attack. The agency is currently conducting an investigation, while Anthem is also trying to establish how access was gained.

The health insurer has established that its computer systems were targeted by hackers who gained access to a database containing approximately 78.8 million records. At this stage the company does not consider this to be a HIPAA breach, but this will not be confirmed until the investigation has been completed and Anthem is able to confirm exactly what data was stolen. Anthem president and CEO Joseph Swedish has advised members that “Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” However, any identifiable personal data that is held by a covered entity about a patient can be considered as PHI, and could therefore fall under HIPAA legislation.

Anthem Spokeswoman, Cindy Wakefield, said the insurer is still investigating the hack and has not confirmed exactly who has been affected, but “At this point we believe it was tens of millions.” All persons will be notified of the data breach by post once the affected individuals have been identified.

Hackers are believed to have targeted the company for personal information and Social Security numbers which carry a high value on the black market and can be used to commit identity fraud and medical insurance fraud.

According to Swedish, “Anthem’s own associates’ personal information, including my own, was accessed during this security breach. We join in your concern and frustration and I assure you that we are working around the clock to do everything we can to further secure your data.”

Anthem Inc suffered a major data breach between Oct. 23, 2009 and Mar. 7, 2010, when it was known as Wellpoint Inc, which exposed the health records and personal information of 612,402 members. The company settled with the Office for Civil Rights in 2013 for $1.7 million for failing to implement adequate security controls to secure data and for breaching the HIPAA Security Rule.

The insurer has set up a website,, as a dedicated portal where potential victims can keep up to date with news about the security breach and obtain advice on what they should do, but does advise any person who believes their data may have been inappropriately used to report the matter to the FBI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.