Hundreds of thousands of Mainers should be on guard against identity fraud after the massive theft of Social Security numbers and other sensitive personal data from health insurer Anthem Inc., the company said Thursday.
Indianapolis-based Anthem, which operates Anthem Blue Cross and Blue Shield in Maine, said “a very sophisticated external cyberattack” on its information technology systems gave thieves access to the data of millions of current and former customers and employees, including names, dates of birth, home addresses, Social Security numbers, email addresses, employer names and income figures.
THE MARKET FOR YOUR HEALTH DATA
Complete health insurance credentials sold for $20 apiece on underground markets in 2013, according to Dell SecureWorks. That is 10 to 20 times more than the price for a U.S. credit card number with a security code.
The information can be used for impersonating hacking victims to obtain medical care or to buy expensive medical equipment such as motorized wheelchairs.
It often takes health care providers longer to detect such fraud than credit card companies or banks, which are constantly looking for inconsistencies that could signal problems. That also means it can be more time-consuming and costly for victims to correct, authorities say.
— The Washington Post
WHAT YOU CAN DO NOW
Anthem is mailing notifications to all members affected by the breach and offering free identity-protection services to those who have had their personal data compromised. Here’s what you should do:
• KNOW THE FACTS: Go to www.anthemfacts.com to access information from the company. It’s also maintaining a dedicated phone line, (877) 263-7995, to answer questions.
• FILE EARLY: File your income taxes as soon as possible. The type of data compromised in the Anthem breach is most often used in tax fraud. Thieves use a stolen name and Social Security number to file fraudulent tax returns and direct refunds to their own bank accounts. Filing early can get your return to the IRS before a thief does.
• REPORT CRIMES: The Maine attorney general advises victims of identity theft to file reports with both local police and the Federal Trade Commission. The FTC has a dedicated website for identity theft victims at www.idtheft.gov.
• CHECK YOUR CREDIT: The Internal Revenue Service advises anyone who believes they have been a victim of tax fraud to contact credit bureaus to place a fraud alert on his or her records, to fill out an IRS Identity Theft Affidavit and to continue filing their tax return, even if it means using paper forms.
• ACCESS GUIDES: Although there’s no evidence that credit or debit card information was hacked in the Anthem breach, income information and other personal data was. Maine’s Bureau of Consumer Credit Protection offers a booklet to help Mainers understand how to track their credit scores and access credit reports. The Downeaster Common Sense Guide: Credit Bureaus and Credit Reports is free and available by calling the bureau at (800) 332-8529 or downloading it from the bureau’s website.
– Compiled by J. Craig Anderson
Targets of the cyberattack include the company’s more than 312,000 existing customers and more than 800 employees in Maine, Anthem said. The insurer is Maine’s largest by far, handling group health care plans for major organizations.
“No credit card information was compromised, nor is there evidence at this time that medical information such as claims, test results or diagnostic codes were targeted or obtained,” company spokesman Rory Sheehan said in a written statement.
As soon as Anthem learned about the attack, it took steps to close the security vulnerability, contacted the FBI and began cooperating with the bureau’s investigation, Sheehan said.
Anthem also has retained Mandiant, a leading cybersecurity firm, to evaluate the company’s systems and identify solutions “based on the evolving landscape,” he said.
Anthem Blue Cross and Blue Shield in Maine will individually notify current and former members whose information has been accessed, Sheehan said. Those notifications should be made within two weeks, according to the Maine Department of Professional and Financial Regulation.
“Credit monitoring and identity protection services will be provided free of charge so that those who have been affected can have peace of mind,” Sheehan said. The services are expected to be available in two weeks, for a period of one year, and will be retroactive to Jan. 27.
The company has established a website – www.anthemfacts.com – where customers can access information about the data breach, including frequently asked questions and answers.
There also is a dedicated toll-free number that both current and former members can call if they have questions related to this incident. The number is (877) 263-7995.
“We take consumers’ privacy very seriously and are doing everything in our power to make our systems and security processes – and most importantly your data – more secure,” Sheehan said. “In the meantime, as we learn more, we will continue to provide updates.”
IDEAL DATA FOR IDENTITY THEFT
Nationwide, as many as 80 million current and former Anthem customers and employees were affected by the breach. That’s more than the estimated 40 million customers whose data was stolen in the pre-Christmas 2013 breach at Target, and the estimated 56 million customers affected by the Home Depot breach uncovered in September, but not as many as the roughly 90 million customer records stolen during the TJX Inc. breach of 2007, which is the largest so far.
According to Anthem’s website, its affiliated companies serve nearly 69 million people, including more than 37 million enrolled in its family of health plans.
The type of information believed to have been stolen is ideal for various forms of identity theft, including federal income tax return fraud, the most common type of theft, in which criminals use stolen personal data to file a false tax return with the IRS. Last spring, several Maine physicians were victimized in a tax fraud scam involving stolen identities.
“You go to file your own tax return and it says, ‘Sorry, somebody already filed one,'” said Timothy Feeley, a spokesman for the Office of the Maine Attorney General.
According to the U.S. Department of Justice website, “stolen identity refund fraud” prevents hundreds of thousands of American taxpayers from receiving timely income tax refunds each year and costs the U.S. Treasury billions of dollars in fraudulent refund payouts.
All a thief really needs to perpetrate such fraud is a taxpayer’s name and Social Security number, Feeley said.
“Your Social Security number is kind of the gatekeeper for the IRS,” he said.
APOLOGY, AND PLEDGE TO DO BETTER
Records also can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.
People who believe they are the victim of tax-refund fraud or any other form of identity theft should file a report with both their local police and the Federal Trade Commission, Feeley said. The FTC has a dedicated website for identity theft victims at www.idtheft.gov.
In a letter posted on anthemfacts.com, Anthem President and CEO Joseph Swedish apologized to customers for the cyberattack on his company and said the company is working hard to prevent a repeat occurrence.
“I know you expect us to protect your information,” Swedish wrote. “We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”
This isn’t the company’s first breach, according to The Associated Press.
In 2013, the insurer agreed to pay $1.7 million to resolve allegations it left the information of more than 612,000 members available online because of inadequate safeguards. In 2008, the insurer offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.
SEN. KING URGES CONGRESS TO ACT
The most recent Anthem data breach is merely the latest in a string of large-scale cyberattacks over the past 18 months that have targeted businesses such as Target, The Home Depot, Staples, Shaw’s, JPMorgan Chase and Sony Pictures. Together, the attacks are expected to cost retailers and financial institutions billions of dollars in lost business, fraud prevention and reimbursements to victims.
Sen. Angus King, an independent from Maine, reacted to the Anthem breach Thursday by calling on Congress to quickly enact legislation to improve information-sharing between the government and the private sector, and to bolster economic and national security against cyberattacks.
“The list of cyber-breaches, hacks and attacks will only continue to grow – and by not acting we are wasting valuable time when we know full well that the next target could be an electrical grid or our financial system,” King said in a written statement. “We know what the problem is. We know how we could take steps to combat it. I continue to strongly urge my colleagues to immediately consider cyber-security legislation. Congress needs to get this done. Enough is enough.”
Edward Sihler, technical director of the Maine Cyber Security Cluster at the University of Southern Maine, said there are ways that lawmakers could crack down on organizations that store sensitive data, such as by forcing them to regularly purge old data that is no longer needed or face stiff fines.
However, when it comes to still-relevant data, Sihler said companies such as Anthem must strike a balance between protecting it and making it accessible when needed, such as when a patient is awaiting treatment in the emergency room.
“You can’t totally lock down personal information when it comes to health care,” he said.
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.