The Office of Personnel Management is keeping a close eye on details emerging about a hack at the second biggest U.S. health insurer, Anthem Inc., which provides coverage to 1.3 million federal employees.
Anthem runs the Blue Cross-Blue Shield Service Benefit Plan, better known as the Federal Employee Program, or FEP, in many states, including Virginia, California and New York.
"OPM is closely monitoring the situation," an agency spokesman told Nextgov. "Anthem informed OPM that it shut down the network in question and is working to ensure the security of its systems as it investigates the extent of the breach."
When contacted by Nextgov on Thursday, Anthem officials were not ready to discuss the potential ramifications of the incident for current or former federal employee members.
In a statement, officials said intruders perpetrated "a very sophisticated attack" to break into Anthem’s systems, and the offenders "have obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past."
The affected database housed records on roughly 80 million customers and tens of millions of records were copied, according to The Wall Street Journal, which first reported the incident.
The information accessed includes Social Security numbers, names, birth dates, street addresses, email addresses and employment information, including income data, according to Anthem.
There is no evidence right now that medical information was obtained or even targeted, officials said. No credit card information was breached.
Perhaps signaling a change in the way organizations come clean about breaches, Anthem publicly acknowledged its database had been attacked within about a week after it was first discovered. Many firms, such as Target -- and even agencies, including OPM itself -- have taken months to inform customers of data breaches.
Anthem detected the hack on its own -- another rarity in the rash of breaches that have struck the U.S. Postal Service and other organizations in recent months. The FBI and private investigators at cyber forensics firm Mandiant are now probing the insurer’s situation.
Anthem says it will "individually notify current and former members whose information has been accessed."
Free credit monitoring and identity protection services will be provided "so that those who have been affected can have peace of mind," officials added. “We take consumers’ privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly your data – more secure."