Anthem Hacked: 80 million customers

[Live Free]

Yesterday's Diane Rehm Show (NPR) had cyber security experts that discussed the Anthem (as well as other public and private systems) breach. It was a fascinating roundtable discussion and if you can look it up (aired on Feb 10) and listen I highly recommend it. What is most terrifying about the breach is that the consequences of obtaining SSNs and birthdays and other identifying info (medical conditions, etc) will be a problem for many years to come. It is isn't just that someone steals your identity to get credit. With this data, people can high jack your ID for obtaining expensive medical care, state and federal tax refunds, etc. It it can happen 10 years from now because that data is out in cyber world being sold to rouge countries and cyber criminal organizations. Also, they did discuss the problem of having little to no consequences for businesses that don't protect private citizen's information.

Really scary stuff. I think I'm going to encourage my DS to study cyber security. There must be a strong job market now and in the future for that.

Editing to add: One of the panelist on the show mentioned that Anthem now believes the breach occurred as early as April 2014 but was only more recently discovered.

[Bikerdude]

Quote:

Originally Posted by Live Free What is most terrifying about the breach is that the consequences of obtaining SSNs and birthdays and other identifying info (medical conditions, etc) will be a problem for many years to come. It is isn't just that someone steals your identity to get credit. With this data, people can high jack your ID for obtaining expensive medical care, state and federal tax refunds, etc. It it can happen 10 years from now because that data is out in cyber world being sold to rouge countries and cyber criminal organizations. Also, they did discuss the problem of having little to no consequences for businesses that don't protect private citizen's information.

This is the exact reason I believe Anthem should provide LIFETIME identity protection to everyone whose SS# was hacked. Class action suit anyone?

[ERhoosier]

Quote:

Originally Posted by Bikerdude This is the exact reason I believe Anthem should provide LIFETIME identity protection to everyone whose SS# was hacked. Class action suit anyone?

Class action has already been prepared by one (ahem) "industrious" Indiana law firm. Only 12 HOURS after official announcement. And before any details of the mechanism of the breach were known, inc whether it was result of negligence or criminal acts.
Anthem data breach already sparks class-action lawsuit | 2015-02-05 | Indianapolis Business Journal | IBJ.com

Maybe the FEDS should provide that lifetime identity protection to all since gov't is the biggest offender. Two of the largest HC data hacks have been at the VA (multiple) and TRICARE.
VA data breach 'practically unavoidable,' memo says
TRICARE breach puts 4.9M military clinic, hospital patients at risk | Healthcare IT News
And the IRS still cannot stop BILLIONS$ in stolen taxpayer income tax refunds.
Tax refund fraud to hit $21B, and there's little the IRS can do

[Bikerdude]

Just heard on the local news that Anthem is planning on offering 2 yrs. of credit monitoring if you were affected. Seems inadequate for the information hacked IMO.

[MichaelB]

I think we've reached the point where credit monitoring should be free and available to everyone with a SS number. Not holding my breath.

[sheehs1]

Quote:

Originally Posted by MichaelB I think we've reached the point where credit monitoring should be free and available to everyone with a SS number. Not holding my breath.

Agree. Really upset about this and all the other hacks but mainly any hack that obtained SSN numbers considering the long term risks and implications.

[FIREd]

We have not received a letter from Anthem yet, but they are our current health insurance provider so we immediately froze our credit. If our SS number and other information make it out into the open, then we'll have to be on our guard for the rest of our life. I am really irritated by this, to put it politely. And Anthem's response so far has been nothing more than a shrug. Free credit monitoring for 2 years? Pfff, you must be joking. The scary part is that those same people are also in charge of what I regard as the most private of records, my medical record. Confidence in their ability to safeguard that information is low.

[Gumby]

This is the letter Anthem wrote yesterday in response to our Attorney General here in CT prodding them on what they would do.

http://www.ct.gov/ag/lib/ag/press_re...toctag_doi.pdf


and his two earlier letters to them

http://www.ct.gov/ag/lib/ag/press_re...thembreach.pdf

http://www.ct.gov/ag/lib/ag/press_re...eachletter.pdf

[MichaelB]

Quote:

Originally Posted by Gumby This is the letter Anthem wrote yesterday in response to our Attorney General here in CT prodding them on what they would do. http://www.ct.gov/ag/lib/ag/press_re...toctag_doi.pdf and his two earlier letters to them http://www.ct.gov/ag/lib/ag/press_re...thembreach.pdf http://www.ct.gov/ag/lib/ag/press_re...eachletter.pdf

Gumby, thanks for the link.

The Anthem FAQ is interesting. The way I read it, there is a key difference between the response by Target, HD and others - they offered one year of credit monitoring to everyone, while Anthem is going to indicate which members will be protected, contacting them by mail. This isn't good news, leaving lots of folks unsure and wondering what to do.

BCBS BlueCard members nationwide are among the affected, even if their policy is not issued by Anthem. From the healthcare threads last year I'd say that hits a number of us.

Quote:

Yes, BlueCard members are impacted. The Blue Cross and Blue Shield Association's BlueCard is a national program that enables members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield Plan's service area. The program links participating healthcare providers with the independent Blue Cross and Blue Shield Plans across the country and in more than 200 countries and territories worldwide through a single electronic network for claims processing and reimbursement.

http://www.anthemfacts.com/faq

[audreyh1]

This is what I'm afraid of. The database was so large, it probably did include every BCBS customer in the country. But no one will come out and admit it.

So they are focused on contacting their members, but say nothing about the contacting people in unaffiliated BCBS plans whose information may also have been compromised?

BCBS of Texas says they are working with anthem to find out if any of their customers are affected. So we should expect to hear from BCBS TX one of these days I guess.
Alerts and Announcements | Blue Cross and Blue Shield of Texas - Information Regarding Anthem Data Breach

[Big_Hitter]

I had my ID compromised late last year (SSN, DOB, thewholeballofwax) and while it stinks, at least I didn't lose any $$$ and didn't die of a heart attack during the process.


There are worse things in life than having your ID stolen.

[MichaelB]

Quote:

Originally Posted by audreyh1 This is what I'm afraid of. The database was so large, it probably did include every BCBS customer in the country. But no one will come out and admit it.

The link is from Anthem, the quote from the CO. It's official - at the very least, our SS#, address and birthdate were part of the breach.

Anthem CEO letter http://www.anthemfacts.com/

[Big_Hitter]

oh, and I have a blue card - but my credit is still locked from the incident

[Big_Hitter]

Quote:

Originally Posted by Live Free Editing to add: One of the panelist on the show mentioned that Anthem now believes the breach occurred as early as April 2014 but was only more recently discovered.

interesting

[audreyh1]

Quote:

Originally Posted by MichaelB The link is from Anthem, the quote from the CO. It's official - at the very least, our SS#, address and birthdate were part of the breach. Anthem CEO letter http://www.anthemfacts.com/

This is what BCBS TX says - they aren't really spelling it out, indicting they're still trying to determine if their customers have been affected.
Alerts and Announcements | Blue Cross and Blue Shield of Texas - Information Regarding Anthem Data Breach

But I guess we'll probably hear from them in a week or so.

[MichaelB]

Quote:

Originally Posted by audreyh1 This is what BCBS TX says - they aren't really spelling it out, indicting they're still trying to determine if their customers have been affected. Alerts and Announcements | Blue Cross and Blue Shield of Texas - Information Regarding Anthem Data Breach But I guess we'll probably hear from them in a week or so.

Florida Blue notice is here and they added a Q&A here . Both communications (Tx and Fl) are evasive. This "Don't call us, we'll call you sent you a letter" leaves too much unresolved. They're asking us to trust them, they'll let us know if we have something to worry about?

[sheehs1]

Quote:

Originally Posted by Gumby This is the letter Anthem wrote yesterday in response to our Attorney General here in CT prodding them on what they would do. http://www.ct.gov/ag/lib/ag/press_re...toctag_doi.pdf and his two earlier letters to them http://www.ct.gov/ag/lib/ag/press_re...thembreach.pdf http://www.ct.gov/ag/lib/ag/press_re...eachletter.pdf

Interesting letters and the second one from the Attorney General was quite specific. Anthem's response was not and little additional information could be gleaned from their response.

Hope all the Attorney Generals from all states responding appropriately.

Have been an Anthem or Blue Cross Blue Shield or some affiliate customer for decades. Can't imagine the hack didn't get me or all of us that have affiliations for that matter.

Wonder if the other insurers are "rushing" to encrypt their data.

[MRG]

They're asking the correct questions. Anthem possibly lost PHI. There's big money at stake, well not enough, when you consider the costs of securing our data vs. the costs to all of us.

HIPPA allows for possible jail time for people that showed "willful neglect". The only way to make preventable breaches go away is for the correct people to get severely penelized. IMHO nothing better for the regulators to show an industry you mean business by putting C level execs in orange jumpsuits.

[explanade]

Well I had just enrolled with Anthem in December through the CA exchange.

But I also had Anthem BC as administrator for my employer plans, though under a different email address, so my data probably would have been exposed if they really stole it in 2014.

OTOH, no evidence of identity theft yet like credit taken out with my SS. Maybe credit freeze was overly cautious.

[ERhoosier]

Quote:

Originally Posted by MRG They're asking the correct questions. Anthem possibly lost PHI. There's big money at stake, well not enough, when you consider the costs of securing our data vs. the costs to all of us. HIPPA allows for possible jail time for people that showed "willful neglect". The only way to make preventable breaches go away is for the correct people to get severely penelized. IMHO nothing better for the regulators to show an industry you mean business by putting C level execs in orange jumpsuits.

From news reports this is not a HIPPA issue as the data breached was financial and not health records.
But I fully agree those responsible should be held accountable....Just not holding my breath. Those of us vets who had financial, and in some cases actual PHI, breached years ago by VA are still waiting for accountability. And VA has still not fully addressed its underlying issues.

FWIW- does no one else find it rather strange that we are all rushing to put our trust in credit freezes with a huge credit firm (Experian) that has (allegedly) been hacked recently for up to 200 million SSAN's...and cannot even tell who those folks are to notify them?!? I can find no offer of ANY identity theft protection being offered by that company for that data breach- or even waiving their normal credit freeze fees.
States Investigating Data Breach at Experian: Report - NBC News

IMHO- As troubling as these specific incidents are, these cases are symptomatic of the MUCH larger issue of globally lax cybersecurity.