This is the worst ever breach of medical records
Hackers stole data on as many as 80 million customers at US health insurance giant Anthem, in what is believed to be the worst breach on record of medical records.
"Cyber attackers executed a very sophisticated attack to gain unauthorised access to one of Anthem's IT systems and have obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past," a statement on Wednesday from the second-largest US health insurer said.
"Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation," said chief executive Joseph Swedish.
"Anthem's own associates' personal information - including my own - was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."
The information includes names, birth dates, social security numbers, street addresses, email addresses and employment information, the company said.
"The affected database has records for 80 million people and tens of millions" of them were stolen, spokesperson Cindy Wakefield said.
The breach is the latest exposing personal information on millions. Last year, US retailer Home Depot said 53 million email addresses were stolen, months after fellow retailer Target said personal data on 70 million customers was accessed.
Some experts say medical data can be even more lucrative to hackers than credit cards, because they can create fake identities for prescription drugs to be resold, or file false insurance claims.
Security experts welcomed Anthem's decision to make the issue public swiftly.
"I'm pleased to see Anthem publishing information about the security breach online, and I'm sure customers will be grateful that the company has not tried to hide away the news," independent security researcher Graham Cluley said in a blog post.
"But what's really necessary is for companies and organizations to do a better job at protecting our personal information. Too many firms who are entrusted with data from the general public are finding themselves in the uncomfortable position of admitting that they have been hacked."