Health Insurer Anthem Hacked: 80 Million Members Exposed

Anthem

Update: 11:30 a.m. ET: Health Data Management reports that Anthem Inc. is refusing to comply with a security audit request from the U.S. Office of Personnel Management (OPM) Inspector General Office (OIG). The request comes after the data breach detailed below.

Because Anthem participates in the Federal Employees Health Benefits Program, which is managed by the OPM, they are subject to these external audits.

Anthem refused the standard vulnerability scans and configuration compliance tests, citing the audit conflict with a corporate policy prohibiting external entities from connecting to the Anthem network. In attempts to supplement their audit, OPM tried to obtain additional information about Anthem’s internal practices but received conflicting statements about their procedures.

This is the second time the organization has refused an audit request from the OPM inspector general. The first refusal came this summer before their breach was discovered. Following the initial refusal OPM adjusted the FEHBP contract to allow a certain degree of auditor access.

Update: 10:30 p.m. ET: After phishing scams plagued Anthem’s breach victims, the company finally launched an identity protection enrollment website for impacted individuals. Identity theft protection through Anthem is free and available to all Anthem members — of any age.

If your child is covered under an Anthem health insurance plan, it is wise to enroll them in this service as well. Child identity theft is one of the most detrimental forms of fraud. Because children lack any credit history, criminals can intermingle the child’s clean credit with the perpetrators name and date of birth. This process is known as synthetic identity theft.

Concerned parents should monitor their child’s credit carefully — pulling their credit reports from the three major bureaus annually. Review any existing accounts, such as treasury bonds and college savings accounts, for any discrepancies or unusual activity.

If you or your child becomes a victim of identity theft, report the crime to the police immediately. You will need that police report to file an “Identity Theft Affidavit” with the FTC. For more information, visit Fighting Identity Crime’s Education Center.

Update: 2:30 p.m. ET: Anthem is in more hot water as phone scams and lawsuits have begun to surface.

Members are being warned of telephone scammers posing as fraud protection providers. The fraudsters will request the personal or financial information of members in order to commit identity fraud or theft. Do not provide them with any information; hang up immediately.

Security expert Brian Krebs is now reporting that the attack on Anthem may have begun as early as April 2014. The way this breach was executed was a hallmark of the state-sponsored Chinese cyber sabotage that reportedly began in 2013.

A total of four breach-related lawsuits have since been filed against Anthem in Georgia, Indiana, California and Alabama.

Update: 4:30 p.m. ET: Spear phishing attempts against Anthem customers have now been reported. These emails claim to be from Anthem and provide a link to sign up for free credit card account protection services. Do not click on this email, forward it or reply. Anthem will provide protection services enrollment information via mail. 

For more information on phishing emails please visit our Scam Education Center.

AnthemPhishingEmailWhat happened?

Anthem, the country’s second-largest health insurance provider, has disclosed a massive data breach affecting their customers and employees. The company, formerly WellPoint, learned of the breach last week and has only just publicly announced it in a letter to customers.

Anthem attributes the breach to a group of “highly sophisticated” hackers who accessed a database containing the names, birthdates, street addresses, email addresses, health IDs, employment information, income data and Social Security numbers of as many as 80 million current and former members and employees.

Experts believe it could be one of the largest health-care data breaches to date.

The database stored member information from all of Anthem’s product lines, including Anthem Blue Cross and Anthem Blue Cross and Blue Shield. However, it is still unclear how much of this information was successfully obtained by hackers and how they were able to infiltrate the system.

In the letter to customers announcing the data breach, Anthem’s CEO Joseph Swedish said, “I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”

The health insurer is currently cooperating with an FBI investigation into the matter and has contacted an outside cybersecurity firm for additional assistance.

What should you do?

Due to the sensitive nature of the information that has been exposed, Anthem members and employees are now at an increased risk of fraud and identity theft. Anyone potentially impacted by this breach should be vigilant about minimizing fraud risks, including taking the following actions:

  • Check your credit report
  • Monitor your bank statements regularly
  • Watch for spam or phishing attempts via phone or email

Anthem will be offering impacted individuals free credit monitoring and identity theft protection services. Enrollment information will be provided via mail. Please visit Anthem’s support website or contact their customer hotline at 1-877-263-7995 if you have additional questions related to the incident.

Learn more about data breaches and how to protect your personal information in Fighting Identity Crimes’ Education Center.

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John Burcham, Chief Privacy Officer at EZShield Fraud Protection
John Burcham is Corporate Counsel for EZShield. He is a Certified Compliance and Ethics Professional...
Read more about John Burcham.

2 Comments

  1. Apparently, Caremark mail rx service has been hacked, or one of its affliates.
    I registered a new Chase CC in August and have ABSOLUTELY ONLY used this account with CVS Caremark…no other person or site, or business. The only company who should have this data would be caremark and chase.The card never left my home and was secured. Yesterday, I got a chase alert that the card had a small transaction on EBay. Of course it was fraud. I truly suspect that Anthem’s failure to secure or encrypt any data, including payment data and personal data not only breaches HIPPA law but is being used already in ID theft fraud.

    Reply
    • We are sorry to hear that your identity has been compromised. You are wise to stay on top of the situation and keep track of your information as closely as possible. Continue to monitor your accounts and be sure to contact the credit bureaus to request a fraud alert.

      Reply

Leave a Comment.