Anthem Inc. reported a data breach late Wednesday that could potentially affect all of its 80 million customers.
Cyber criminals reportedly gained access to Anthem’s computer system, making off with names, birthdays, medical IDs, Social Security numbers, home addresses, email addresses, employment information including income and other information.
“Based on what we know now, there is no evidence that credit card or medical information (such as claims, test results or diagnostic codes) were targeted or compromised,” Joseph Swedish, the Anthem president and CEO, wrote in the email to customers.
Anthem, the second-largest health insurance company in the nation, has customers in 14 states, including Connecticut. The company said in an FAQ it is still working to narrow down which of its customers might have been impacted.
The company, in an email to its customers sent out Wednesday night, said it has “state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem Blue Cross Blue Shield was the target of a very sophisticated external cyber attack.”
The company said the attackers gained access to Anthem’s computer system, obtaining personal information of current and former customers.
Once the attack was discovered, Swedish said, the company “made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
Anthem also hired Mandiant, a high-profile cybersecurity firm, to evaluate its systems.
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” Swedish wrote. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Anthem plans individually notify current and former customers whose information was accessed, Swedish said. “We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind,” he wrote.
The company created a website, AnthemFacts.com, where customers can access information and answers about the hacking. Anthem also has a dedicated phone number for current and past members to use to ask questions about the attack. It is 877-263-7995.
“I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information,” Swedish wrote. “We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”
Last month President Barack Obama made a call for legislation that would require companies to be more forthcoming to customers about their personal information being stolen.
The Personal Data Notification & Protection Act includes a 30-day notification deadline from the discovery of a breach, Mr. Obama announced Jan. 12. He also touted that more financial companies are now offering free credit rating information, which can help spot irregularities that might stem from fraud.
“To give consumers access to one of the best early indicators of identity theft, as well as an opportunity to improve their credit health, JPMorganChase and Bank of America, in partnership with Fair Isaac Corporation (FICO), will join the growing list of firms making credit scores available for free to their consumer card customers,” Mr. Obama said.
Monitoring services worth it?
Free credit monitoring is often offered by firms following a computer breach, but it may offer a false sense of security, consumer advocates warn.
Credit score monitoring services marketed as fraud protection has been criticized by consumer watchdogs, including the non-profit Consumer Reports, because credit monitoring doesn’t catch irregular charges on an existing credit card. Popular credit monitoring company LifeLock was forced in 2010 to pay a $12 million penalty for deceptive business practices, making false claims about what can be prevented by its service.
Monitoring credit information can alert consumers to other types of fraud, such as new line of credit being opened, a less common type of fraud than using an existing account.
Among other actions, Consumer Reports recommends self monitoring, including signing up for online and mobile access to banks and credit cards to monitor account activity in real time.