(Adds details, background, quotes from FireEye and cybersecurity expert)
By Supriya Kurane and Jim Finkle
Feb 4 (Reuters) - Hackers have stolen personal information relating to current and former customers and staff of no. 2 U.S. health insurer Anthem Inc., after breaching an IT system containing data on up to 80 million people, the company said late on Wednesday.
Anthem, which has nearly 40 million customers in the United States, said it had reported the attack to the FBI and cybersecurity firm FireEye Inc. said it had been hired to help Anthem investigate the attack.
“We do confirm that this was done by an advanced group using custom malware,” said FireEye spokesman Vitor De Souza, noting that Anthem employees identified the breach, which was limited to a window of a few days.
“We know across the board that when you do see something, you need to act fast”, which Anthem appears to have done, De Souza said.
Anthem said in a statement that names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, had been accessed in what it described as a “very sophisticated attack”.
The breach did not appear to involve medical information or financial details such as credit card or bank account numbers, Anthem said, adding it immediately made every effort to close the security vulnerability, which was discovered last week.
FireEye’s De Souza said the breached database contained information from about 80 million individuals, but the extent of stolen data is still unknown, as are the perpetrators and method of the cyberattack.
“That information is a treasure trove for cybercriminals. It can easily be sold on underground markets within hours and used for a wide variety of identity fraud schemes,” said Stuart McClure, chief executive of cybersecurity firm Cylance Inc.
Cybersecurity has become a major concern both for U.S. firms facing a barrage of attacks as well as insurers trying to figure out how much of that risk they can afford to underwrite.
A high-profile attack against Sony Pictures Entertainment late last year brought the company headlines for everything from pay disparities among its employees to internal critiques about the studio’s own movies.
Other attacks have spooked consumers, with retailers Target and Home Depot both reporting the theft of such personal data as credit card numbers in recent years.
President Barack Obama’s recently proposed fiscal 2016 budget sets aside $14 billion to strengthen U.S. cybersecurity defenses, an increase of 10 percent.
Cylance’s McClure, who has helped healthcare companies respond to previous breaches, said it typically costs health insurers at least $100 per stolen record to clean up this type of cyberattack. If 10 million records were stolen, the costs to respond would likely top $1 billion, he said.
That includes costs for setting up a hotline to answer customer questions, providing credit monitoring services and meeting state and federal government disclosure requirements.
Security experts say cybercriminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
One of the largest U.S. hospital operators, Community Health Systems Inc, last year said Chinese hackers had broken into its computer network and stolen the information of 4.5 million patients.
The percentage of healthcare organizations that have reported a criminal attack rose to 40 percent in 2013 from 20 percent in 2009, according to an annual survey by the Ponemon Institute think-tank on data protection policy.
Anthem spokeswoman Kristin Binns said the company has doubled its spending on cybersecurity over the past four years. The health insurer had 37.5 million medical members as of the end of December.
“This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information,” U.S. Rep. Michael McCaul, a Republican from Texas and chairman of the Committee on Homeland Security, said in a statement late Wednesday.
Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Anthem said it would send a letter and email to everyone whose information was stored in the hacked database. It also set up an informational website, www.anthemfacts.com, and will offer to provide a credit-monitoring service. (Reporting by Supriya Kurane in Bengaluru, Jim Finkle in Boston and Deena Beasley in Los Angeles; Editing by Ken Wills and Alex Richardson)