Thursday, February 5, 2015

Anthem Hit by Massive Cybersecurity Breach

Blue Shield of California Plans with Out-of-State Members Using Blue Card Might Also Be Impacted

This is from Reuters
Health insurer Anthem Inc (ANTM.N), which has nearly 40 million U.S. customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees. 
The No. 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers. 
The information accessed during the "very sophisticated attack" did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said. 
Anthem said that it immediately made every effort to close the security vulnerability and reported the attack to the FBI. Cybersecurity firm FireEye Inc FEYE. said it had been hired to help Anthem investigate the attack. 
The company did not say how many customers and staff were affected, but the Wall Street Journal earlier reported it was suspected that records of tens of millions of people had been taken, which would likely make it the largest data breach involving a U.S. health insurer. 
Anthem had 37.5 million medical members as of the end of December. 
"This attack is another reminder of the persistent threats we face, and the need for Congress to take aggressive action to remove legal barriers for sharing cyber threat information," U.S. Rep. Michael McCaul, a Republican from Texas and chairman of the Committee on Homeland Security, said in a statement late Wednesday. ...
Anthem said it would send a letter and email to everyone whose information was stored in the hacked database. It also set up an informational website,, and will offer to provide a credit-monitoring service. 
And this is from Anthem:
To our valued customers:

Safeguarding your employee's personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem's IT system and have obtained personal information from our current and former members such as their names, birthdays, member ID/Social Security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that banking, credit card, medical information (such as claims, test results, or diagnostic codes) were targeted or compromised.

Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world's leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.

Anthem's own associates' personal information - including our own - was accessed during this security breach. We join you in your concern and frustration, and we assure you that we are working around the clock to do everything we can to further secure your employees' data.

Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge so that those who have been affected can have peace of mind. We have created a dedicated website ( ) where members can access information such as frequently asked questions and answers. We have also established a dedicated toll-free number that both current and former members can call if they have questions related to this incident. That number is: 1-877-263-7995. As we learn more, we will continually update this website and share that information with you. And, we developed an FAQ to help you answer questions you may receive from your employees.

We want to personally apologize to you and your employees for what has happened, as we know you expect us to protect your information. We will do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust.  

This is from Blue Shield:
As you may have heard, Anthem Inc. was recently the target of a cyber-attack. The news broke last night, Wednesday, February 4, 2015. Blue Shield of California is aware of Anthem's cyber-attack and we are working to gather more information and understand the scope of this issue. In California, Anthem Blue Cross is separate and independent from Blue Shield of California, though some members could be affected due to various collaborative agreements between Blue Plans throughout the country. 
Blue Shield of California continually assesses and monitors the security of its IT systems and employs advanced and up-to-date security measures. For additional information and assistance about the Anthem situation, visit or call their dedicated toll-free phone line at 1-877-263-7995. Read our FAQ for more information. 

Steps that employers should be taking with respect to their group health plans and their employees' information - from Marcia Wagner at the Wagner Law Group:
... With respect to fully insured plans, Anthem has the obligation to notify participants and is completely liable for the breach. Anthem may communicate general information to plan sponsors (e.g., steps being taken to address the breach). Some employers may want to send additional communications to employees to ease their fears.
For self-insured plans, Anthem, as a business associate, must notify the plan sponsor regarding the scope of the breach (i.e., identify those participants who have been affected). Because Anthem will communicate directly with the participants, the plan sponsor does not need to notify them of the breach. Some employers, however, may want to send an additional communication to affected employees to ease their fears. In accordance with servicing agreements and the business associate agreements, Anthem should be liable for the breach.  
In the coming days and weeks, Anthem should communicate directly with plan sponsors to tell them how it plans to proceed, when employee communications will be sent, what information will be in the communications, steps that will be taken to mitigate harm and steps that will be taken to prevent future breaches.  
Even though Anthem has indicated that it will provide free credit monitoring and identity protection, affected employees should be reminded to be vigilant and to monitor their credit reports, credit cards, etc....

Now there is an email phishing scam attempting to cash in on the Anthem hysteria.  Please note the below pictured email is not legitimate.  Anthem is not calling members regarding the cyber attack and are not asking for credit card information or social security numbers over the phone.  This outreach is from scam artists who are trying to trick consumers into sharing personal data.  There is no indication that the scam email campaigns are being conducted by those that committed the cyber attack, or that the information accessed in the attack is being used by the scammers.  Anthem will contact current and former members via mail delivered by the U.S. Postal Service about the cyber attack with specific information on how to enroll in credit monitoring.  Affected members will receive free credit monitoring and ID protection services.

I received this update from Anthem on February 9th:
We recommend that members regularly review statements from their accounts and periodically obtain credit report from one or more of the national credit reporting companies. Members may obtain a free copy of your credit report online at, by calling toll-free 1-877-322-8228, or by mailing an Annual Credit Report Request Form (available at to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. 
As a precautionary step, members may wish to place a fraud alert on their credit file. A fraud alert tells creditors to contact you before they open any new accounts or change existing accounts. Members can call any one of the three major credit bureaus listed below. As soon as one credit bureau confirms a fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to the member, free of charge, for review. 
Equifax                  Experian               TransUnionCorp
800-525-6285         888-397-3742          800-680-7289 
Anthem will offer identity repair services, which will be retroactive to the date of the potential exposure, and credit monitoring, which is effective if and when the consumer enrolls, through a trusted vendor. We are in the final stages of preparation with the vendor, and anticipate members will be able to access the vendor hotline next week. At that time, members will be able to call the hotline and receive identity repair services, and if they chose, can also enroll in credit monitoring. Members will not need to wait until they receive their mailed notification. 
We will provide more detailed communications once the hotline is available. 
We are in the final stages of preparation with the vendor, and anticipate members will be able to access the vendor hotline next week. We will provide more detailed communications once the hotline is available. 
We will begin to mail letters to impacted members in the coming weeks.