The information stolen from the insurance giant includes names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Anthem said there is no evidence that credit card or medical information was compromised. While damage is still being assessed, the compromised database contained up to 80 million customer records.
Formerly known as Wellpoint, Anthem is the second-largest health insurer in the United States. The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink.
Anthem pledged to individually notify current and former customers if their data has been stolen, and by late Wednesday evening, some members reported receiving e-mails from the insurer informing them of the breach. Anthem will offer free credit monitoring and identity protection services to affected customers.
“Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” CEO Joseph Swedish said in a letter to customers.
Anthem said the breach resulted from a “very sophisticated external cyber attack,” and that law enforcement agencies were still working to identify the perpetrator. The company has retained Mandiant, a leading cybersecurity firm, to help in the investigation.
The insurer is the latest in a series of companies to suffer severe data breaches. Last year, hackers obtained credit card data for 40 million Target shoppers, as well as personal information — including names, addresses, phone numbers and e-mail addresses — for 70 million customers.
Records have also been stolen from Neiman Marcus, JPMorgan Chase, Experian, eBay and Home Depot.
The Federal Bureau of investigation said that it was aware of the intrusion, and was investigating the matter. The agency also praised Anthem’s decision to quickly address the breach.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” the FBI said. “Speed matters when notifying law enforcement of an intrusion.”