Anthem insurance companies hit by a huge data breach

Another day, another data breach at a major U.S. corporation. Anthem, Inc., the country’s second largest health insurance company, has reported that hackers have stolen personal data on millions of customers. The stolen information includes names, dates of birth, Social Security numbers, addresses, phone numbers, and employment information. It does not, Anthem says, include health records or credit-card information. The company has more than a half-dozen brands, including Anthem Blue Cross and Blue Shield, Healthlink, and Amerigroup.

Anthem posted a letter from CEO Joseph R. Swedish on its website, saying that the company would provide credit monitoring and identity protection for affected customers. And the company said it had notified the FBI when the breach was discovered, and that it had hired Mandiant, a cybersecurity firm, to bolster security. Mandiant was also hired by Sony in the aftermath of its data breach last fall.

Anthem said the breach resulted from "a very sophisticated," attack, but skepticism was being expressed on some security-oriented websites. “That’s a default moniker for what often ends up being a very banal, unsophisticated attack against poor defenses,” wrote one commenter below an article by security blogger Brian Krebs.

Anthem has not yet said when the data breach was discovered, but national legislation could require companies to let consumers know about an incident within 30 days. Indeed, one of the next big digital issues that Congress may consider in coming weeks is a data breach notification law. 

Among the issues to be debated: Whether a federal law would override state rules, especially California’s relatively stringent regulation, and whether corporations could be held liable for data breaches if their security systems were deemed insufficient to protect their customers.

—Jerry Beilinson