Insurer says millions of non-customers are impacted too.
On Tuesday, Anthem, the nation’s second largest health insurer, said that 8.8 to 18.8 million people who were not customers could be impacted by their recent data breach, which at last count is presumed to affect some 78.8 million people. This latest count now includes customers of independent Blue Cross Blue Shield (BCBS) plans in several states.
In a statement, Anthem said that the breach affects current and former customers of dating back to 2004.
“This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, and Unicare. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, and Wisconsin,” the company explained.
On December 10, 2014, someone compromised a database owned by Anthem Inc. The compromise was discovered on January 27, 2015, by a database administrator who noticed his credentials being used to run a query that he didn’t initiate. Anthem disclosed the breach to the public on February 4.
In statements to the Associated Press, Anthem confirmed previous reports published by Salted Hash, and added to those details with the news that credentials from at least five different employees were compromised during the incident. Speculating, investigators believe that the employees fell for a Phishing attack.
The company said that attackers were able to obtain “personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”
The same week Anthem disclosed their breach, criminals jumped on the news and launched a Phishing campaign using current events and fear as a lure, reminding potential victims that they’d be contacted via the US Postal Service, and not by email or phone.
According to Modern Healthcare, are more than 50 class-action lawsuits have been filed since Anthem announced their breach. The potential legal liabilities could impact insurance plans nationwide, as the insurers find themselves legally responsible for the breach under HIPAA.
Shortly after Anthem announced updated impact numbers, the FBI said they were close to naming the attacker behind the Anthem breach. The comments were made during a roundtable discussion with reporters.
“We’re close already,” said Robert Anderson, who heads the FBI’s Criminal, Cyber, Response, and Services Branch.
“But we’re not going to say it until we’re absolutely sure,” Anderson remarked, adding – “I don’t know if it’s China or not, by the way.”