Millions of Anthem Inc. insurance customers’ account data was stolen when the company was hacked this week, the company announced on late Wednesday.
The hackers gained access to Anthem’s computer system, making off with names, birthdays, medical IDs, Social Security numbers, home addresses, email addresses, employment information including income, and more.
Anthem, which has about 80 million customers in 14 states, including Connecticut and New York, is the second-largest health insurance company in the nation.
The company, in an email to its customers sent out Wednesday night, said it has “state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem Blue Cross Blue Shield was the target of a very sophisticated external cyber attack.”
The company says the attackers gained access to Anthem’s IT system, obtaining personal information of current and former customers.
“Based on what we know now, there is no evidence that credit card or medical information (such as claims, test results or diagnostic codes) were targeted or compromised,” Joseph Swedish, the Anthem president and CEO, wrote in the email to customers.
If no medical information was stolen, the hacking would not fall under the 1996 Health Insurance Portability & Accountability Act, known as HIPAA, that governs medical information confidentiality and security.
Once the attack was discovered, Swedish said, the company “made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
Anthem also hired Mandiant, a leading cybersecurity firm, to evaluate its systems and identify solutions.
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach,” Swedish wrote. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Anthem plans individually notify current and former customers whose information was accessed, Swedish said. “We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind,” he wrote.
Where to find answers
The company created a website, AnthemFacts.com, where customers can access information and answers about the hacking. Anthem also has a dedicated phone number for current and past members to use to ask questions about the attack. It is 877-263-7995.
“I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information,” Swedish wrote. “We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem. “
Last month President Barack Obama made a call for legislation that would require companies to be more forthcoming to customers about their personal information being stolen.
The Personal Data Notification & Protection Act includes a 30-day notification deadline from the discovery of a breach, Mr. Obama announced Jan. 12. He also touted that more financial companies are now offering free credit rating information, which can help spot irregularities that might stem from fraud.
“To give consumers access to one of the best early indicators of identity theft, as well as an opportunity to improve their credit health, JPMorganChase and Bank of America, in partnership with Fair Isaac Corporation (FICO), will join the growing list of firms making credit scores available for free to their consumer card customers,” Obama said.
Monitoring services worth it?
Free credit monitoring is often offered by firms following a computer breach, but it may offer a false sense of security, consumer advocates warn.
Credit score monitoring services marketed as fraud protection has been criticized by consumer watchdogs, including the non-profit Consumer Reports, because credit monitoring doesn’t catch irregular charges on an existing credit card. Popular credit monitoring company LifeLock was forced in 2010 to pay a $12 million penalty for deceptive business practices, making false claims about what can be prevented by its service.
Monitoring credit information can alert consumers to other types of fraud, such as new line of credit being opened, a less common type of fraud than using an existing account.
Among other actions, Consumer Reports recommends self monitoring, including signing up for online and mobile access to banks and credit cards to monitor account activity in real time.