Hundreds of thousands of Mainers should be on guard against identity fraud after the massive theft of Social Security numbers and other sensitive personal data from health insurer Anthem Inc., the company said Thursday.

Indianapolis-based Anthem, which operates Anthem Blue Cross and Blue Shield in Maine, said “a very sophisticated external cyberattack” on its information technology systems gave thieves access to the data of millions of current and former customers and employees, including names, dates of birth, home addresses, Social Security numbers, email addresses, employer names and income figures.

Targets of the cyberattack include the company’s more than 312,000 existing customers and more than 800 employees in Maine, Anthem said. The insurer is Maine’s largest by far, handling group health care plans for major organizations.

“No credit card information was compromised, nor is there evidence at this time that medical information such as claims, test results or diagnostic codes were targeted or obtained,” company spokesman Rory Sheehan said in a written statement.

As soon as Anthem learned about the attack, it took steps to close the security vulnerability, contacted the FBI and began cooperating with the bureau’s investigation, Sheehan said.

Anthem also has retained Mandiant, a leading cybersecurity firm, to evaluate the company’s systems and identify solutions “based on the evolving landscape,” he said.


Anthem Blue Cross and Blue Shield in Maine will individually notify current and former members whose information has been accessed, Sheehan said. Those notifications should be made within two weeks, according to the Maine Department of Professional and Financial Regulation.

“Credit monitoring and identity protection services will be provided free of charge so that those who have been affected can have peace of mind,” Sheehan said. The services are expected to be available in two weeks, for a period of one year, and will be retroactive to Jan. 27.

The company has established a website – – where customers can access information about the data breach, including frequently asked questions and answers.

There also is a dedicated toll-free number that both current and former members can call if they have questions related to this incident. The number is (877) 263-7995.

“We take consumers’ privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly your data – more secure,” Sheehan said. “In the meantime, as we learn more, we will continue to provide updates.”



Nationwide, as many as 80 million current and former Anthem customers and employees were affected by the breach. That’s more than the estimated 40 million customers whose data was stolen in the pre-Christmas 2013 breach at Target, and the estimated 56 million customers affected by the Home Depot breach uncovered in September, but not as many as the roughly 90 million customer records stolen during the TJX Inc. breach of 2007, which is the largest so far.

According to Anthem’s website, its affiliated companies serve nearly 69 million people, including more than 37 million enrolled in its family of health plans.

The type of information believed to have been stolen is ideal for various forms of identity theft, including federal income tax return fraud, the most common type of theft, in which criminals use stolen personal data to file a false tax return with the IRS. Last spring, several Maine physicians were victimized in a tax fraud scam involving stolen identities.

“You go to file your own tax return and it says, ‘Sorry, somebody already filed one,'” said Timothy Feeley, a spokesman for the Office of the Maine Attorney General.

According to the U.S. Department of Justice website, “stolen identity refund fraud” prevents hundreds of thousands of American taxpayers from receiving timely income tax refunds each year and costs the U.S. Treasury billions of dollars in fraudulent refund payouts.

All a thief really needs to perpetrate such fraud is a taxpayer’s name and Social Security number, Feeley said.


“Your Social Security number is kind of the gatekeeper for the IRS,” he said.


Records also can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.

People who believe they are the victim of tax-refund fraud or any other form of identity theft should file a report with both their local police and the Federal Trade Commission, Feeley said. The FTC has a dedicated website for identity theft victims at

In a letter posted on, Anthem President and CEO Joseph Swedish apologized to customers for the cyberattack on his company and said the company is working hard to prevent a repeat occurrence.

“I know you expect us to protect your information,” Swedish wrote. “We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”


This isn’t the company’s first breach, according to The Associated Press.

In 2013, the insurer agreed to pay $1.7 million to resolve allegations it left the information of more than 612,000 members available online because of inadequate safeguards. In 2008, the insurer offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.


The most recent Anthem data breach is merely the latest in a string of large-scale cyberattacks over the past 18 months that have targeted businesses such as Target, The Home Depot, Staples, Shaw’s, JPMorgan Chase and Sony Pictures. Together, the attacks are expected to cost retailers and financial institutions billions of dollars in lost business, fraud prevention and reimbursements to victims.

Sen. Angus King, an independent from Maine, reacted to the Anthem breach Thursday by calling on Congress to quickly enact legislation to improve information-sharing between the government and the private sector, and to bolster economic and national security against cyberattacks.

“The list of cyber-breaches, hacks and attacks will only continue to grow – and by not acting we are wasting valuable time when we know full well that the next target could be an electrical grid or our financial system,” King said in a written statement. “We know what the problem is. We know how we could take steps to combat it. I continue to strongly urge my colleagues to immediately consider cyber-security legislation. Congress needs to get this done. Enough is enough.”

Edward Sihler, technical director of the Maine Cyber Security Cluster at the University of Southern Maine, said there are ways that lawmakers could crack down on organizations that store sensitive data, such as by forcing them to regularly purge old data that is no longer needed or face stiff fines.

However, when it comes to still-relevant data, Sihler said companies such as Anthem must strike a balance between protecting it and making it accessible when needed, such as when a patient is awaiting treatment in the emergency room.

“You can’t totally lock down personal information when it comes to health care,” he said.

Comments are no longer available on this story