Anthem Security Breach Affects Nearly 80 Million Customers

Getty Images/ John Lund.

Anthem, Inc., administrator of the Blue Cross Blue Shield health plans for 14 states and the nation’s second largest health care insurance provider suffered the largest health care data breach to date in January of 2015 affecting almost 80 million of its customers. Even the company’s own CEO had his data compromised. Such data breaches in recent years have raised alarms and sent many companies searching for solutions including purchasing cyber insurance to protect from cyber security data breaches.

Other companies affected by recent cyber breaches include JP Morgan Chase, Target, Home Depot and Staples.

This latest data leak affects not only current customers of Blue Cross Blue Shield but also past policyholders as far back as 2004. This includes customers from the states serviced by Anthem, Inc.; California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin. Other states such as Florida and Texas have independently run Blue Cross companies with a total of 37 companies operating in all services approximately 105 million policy holders.

Customers in affected states had data stolen including names, dates of birth, member numbers, social security numbers, addresses, telephone numbers, employment and income data as well as email addresses. No medical information appears to have been stolen and company spokespersons report that credit card information also remained untouched.

Since no actual medical information was stolen, the data breach does not fall under the 1996 Health Insurance Portability and Accountability Act (HIPPA) which was created to govern confidentiality and security of patient medical information.

How Did It Happen?

The cyber-attack on Anthem was not the work of amateurs.

The president and CEO of Anthem, Joseph Swedish stated, "Anthem was the target of a very sophisticated external cyber-attack." The company has created a statement to give policy holders further information about the incident on its website.

The hackers did not only access the information but actually stole the records including very sensitive data such as social security numbers. This type of sensitive information was more valuable than health information as puts millions at risk of identity theft. The Wall Street Journal published an investigative report critical of Anthem’s decision not to encrypt customer data.

Anthem’s Response

In addition to establishing the Anthem Facts company website where members can access information about the incident, it is cooperating with the FBI and state authorities in an ongoing investigation. Any customers of Anthem call also call the company at 877-263-7995 for further information. Anthem is mailing letters to affected customers as well as offering two years of identity theft repair assistance, identity theft insurance, credit monitoring and fraud protection.

Company spokesperson, Kristin Binns, said all individual members will be notified directly.

FBI spokesman, Joshua Campbell, urges customers who suspect instances of identity theft to report it to the FBI Internet Crime Complain Center. Anthem has reported that all customers will be notified by mail and that it will not email or call customers and warns against email and phone scams from representatives claiming to be from Anthem.

Health Insurance Accountability Legislation

Further legislation is needed to protect health information. The Health Insurance Portability and Accountability Act (HIPAA) suggest that companies encrypt customer data but do not require it. Until legislation is passed to require encryption of patient health records, the public will continue to remain vulnerable to these types of cyber-attacks. The 2009 HITECH Act required public disclosure of breaches of health data that affect more than 500 people with an exception for companies who encrypt patient data.

A database of major breaches is maintained by the government. This incident is the largest in history and over 40 million people may feel the effects of this for up to a decade or longer.

Take Extra Precautions

With cyber threats on the rise, security experts recommend you take extra precautions to safeguard your personal sensitive data. Review your credit report for suspicious activity and be on the lookout for suspicious phone calls and emails. Never give out your personal information to anyone who you do not know is 100 percent legitimate.