A Year Later, Impact of Anthem Data Breach Still Debated

Published: 8/4/2016 11:38:07 AM
Modified: 2/21/2016 12:00:00 AM
While a year has passed since Anthem Inc. disclosed a data breach in which Social Security numbers and other sensitive information from 80 million consumers were taken, the company and its critics still disagree about how much damage was done.

The adequacy of the consumer protection services Anthem offered its customers after the breach also remains the subject of disagreement.

Anthem said it is not aware of any current or former customers who have suffered any ill effects to date as a result of the theft of their Social Security numbers or other personal information.

“There is no evidence that fraud has occurred against our members, including fraudulent tax returns, resulting from the attack,” said Colin Manning, a spokesman for Anthem Blue Cross and Blue Shield in New Hampshire.

State officials concur. No fraud has been detected that can be shown to have originated in the data breach, said James Boffetti, the senior assistant attorney general in the New Hampshire Justice Department’s Consumer Protection and Antitrust Bureau.

“I’m not aware of any definite links,” he said, adding that proving such connections can be problematic. “I’m not sure you could ever trace it back.”

Nor has the stolen data shown up in the markets in which illicitly obtained information are sometimes traded, according to Manning.

“In working with the FBI, we have found no evidence that the cyber attackers have shared or sold any of our members’ data,” Manning said.

The FBI’s national press office did not respond to an email requesting comments on its investigation of the data breach.

Paul Stephens of the Privacy Rights Clearinghouse, a nonprofit advocacy organization in San Diego, said it is extremely difficult to tie specific fraudulent activities to specific data breaches, but added, “There has not been a higher incidence of identity theft against the people who were victims of Anthem’s data breach.”

The lack of identity theft activity has given rise to speculation that a foreign government might have executed the breach with some other intention than financial gain, Stephens said.

But a class action lawsuit now pending in U.S. District Court in San Jose, Calif., claims that consumers have already been victimized. The lawsuit alleges that data breach victims “have had fake tax returns filed in their names, allowing criminals to abscond with their tax refunds, have had bank accounts drained, and have had credit cards or fraudulent loans taken out in their names.”

The lawsuit also warns that consumers whose information was taken “must worry about being victimized throughout the rest of their lives.”

Eve Cervantez, a lead attorney for the plaintiffs in the class action lawsuit, declined to comment on the potential liability or other aspects of the pending litigation.

Anthem has “contingency plans and insurance coverage for certain expenses and potential liabilities of this nature” but has not yet been able to estimate the losses that may result from the cyber-attack, according to a Feb. 19 securities filing. Anthem noted that the lawsuit had not yet been certified as a class action, and that there were “significant factual and legal issues to be resolved.”

Protection Measures

Stephens said it is too early for consumers to let their guards down or conclude that the danger of having the purloined Anthem data used against them has passed. Thieves “can sit on the information for a while and use it many years after the information is obtained,” Stephens said.

But alleviating that lingering threat may be no simple task for victims of the data breach, whose ranks may include more than 700,000 residents of the Twin States.

In New Hampshire, about 668,000 current and former customers were affected, Manning said.

In the Green Mountain State, as many as 23,000 customers of Blue Cross and Blue Shield of Vermont might have had some personal information taken, the company said. The stolen database included the Social Security numbers of only 22 of those customers, according to BCBS of Vermont, which is not an Anthem affiliate but sends some data into an Anthem-operated network when customers seek care in other states.

Personal information from 48,000 more Vermonters whose employers have group insurance from Anthem affiliates in other states may also have been in the stolen database, according to BCBS of Vermont.

Consumers affected by the data breach have multiple options for how to respond, starting with the free remedies offered by Anthem.

The company offered individuals whose information was taken free credit monitoring services for two years and coverage under a $1 million identity theft insurance policy from an Austin, Texas-based security firm called AllClear ID.

An AllClear spokesman referred to Anthem questions about how many of its customers had signed up for AllClear coverage and what problems those customers had reported. Manning said Anthem is not disclosing how many of the data breach victims have signed up for the AllClear service.

Critics have dismissed the AllClear coverage as too short and too weak.

Manning, the Anthem spokesman, defended the duration of the free coverage. “The industry standard prior to us announcing our cyber-attack was one year,” he said. “We doubled that.”

But Chi Chi Wu, a staff attorney for the National Consumer Law Center in Boston, said that while credit monitoring is the standard remedy offered by companies affected by data breaches, that service only “tells you that the horse has left the barn.”

Stephens said AllClear’s service, which monitors credit actions only at TransUnion, one of the nation’s three major credit bureaus, leaves consumers vulnerable to thefts that instead register with Equifax or Experian, TransUnion’s competitors. That’s a bypass that thieves can utilize and that could make consumers vulnerable to identity theft and delay their recognition of other forms of fraud, he said.

Wu said a more effective remedy for a consumer is to request a security freeze from the credit reporting firms. That prevents thieves from using a victim’s credit to open and make purchases with an account that takes advantage of their good credit.

The U.S. Federal Trade Commission says on its website that a security freeze “lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name.”

A drawback to a credit freeze, Wu said, is that “you may have to pay for it.” Costs typically range from $10 to $50 at each of the national credit reporting companies, according to the FTC.

A consumer with a security freeze can still open a new account, apply for a job, rent an apartment or buy insurance by “thawing,” or temporarily lifting, a freeze, the FTC says. That can be done by contacting a credit reporting company and identifying yourself with a PIN or password associated with the freeze. The freeze must be lifted within three days of receipt of a request. Costs vary by state.

There are additional steps that are important for consumers to take, according to the FTC. Even with a security freeze in place, they should check existing accounts for charges they don’t recognize. That’s because a freeze doesn’t affect transactions in existing accounts.

Without purchasing a credit freeze, a consumer can put in place a “fraud alert” that allows creditors to check a consumer’s credit so long as the affected customer is notified of the transaction. A fraud alert lasts for 90 days and can be renewed.

With or without a freeze, a consumer is entitled to a free annual review of his or her credit report from each of the three national credit reporting firms. That check is important for all consumers to do regularly, advocates say.

Preventing thieves from using purloined data to file bogus tax returns may require separate action. The IRS website says it will provide victims of identity theft with a personal identification number, or PIN, to use to verify online or paper filings. Luis D. Garcia, an IRS spokesman, said consumers who had been notified by Anthem that their data was taken in the breach should stay in touch with the company but could request a so-called IP PIN “only if your Social Security number has been compromised and your e-file return was rejected as a duplicate or IRS has informed you that you may be a victim of tax-related identity theft.”

Stephens, the privacy advocate, offered this advice:“If you’re expecting a refund, file early. The first person to claim the refund gets it.” That’s important, he added, because if someone else claims your refund “it can take a year or longer to clear things up and get your money.”

Legal Action

The current legal dispute is the latest stage of a controversy that became public on Feb. 5, 2015, when Anthem announced that the data breach had occurred. By early March, Anthem had sent letters to the affected consumers. “Suspicious activity may have occurred over the course of several weeks beginning in early December 2014,” Anthem said.

The compromised information included “names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information, including income data,” Anthem said.

More than 100 lawsuits were filed against Anthem, its affiliates and other companies in Blue Cross Blue Shield’s nationwide network, and those actions were combined into a multidistrict litigation proceeding in San Jose. Among the defendants in the combined lawsuit are Anthem Blue Cross and Blue Shield of New Hampshire, a unit of Anthem, and BCBS of Vermont, a non-Anthem company that is part of a nationwide network of insurers that provide coverage to each others’ subscribers.

The combined lawsuit, which is awaiting official court designation as a class action, alleges that hackers took advantage of Anthem’s “grossly inadequate computer systems and data security practices.” The hackers’ target was a “single data warehouse” in which Anthem kept information about its customers and those enrolled in its affiliated companies and other insurers in the Blue Cross Blue Shield network, according to the lawsuit. The database included information from customers from as far back as 2004, the lawsuit said.

The class action lawsuit alleges that “confidential medical records” were also left unprotected by Anthem.

“To date, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted, accessed or obtained, although no assurance can be given that we will not identify additional information that was accessed or obtained,” Anthem said in its Feb. 19 securities filing.

Anthem’s data had been compromised in earlier cyber attacks, according to the lawsuit. In an incident that began in 2009, personal and medical information of more than 600,000 of the company’s customers was compromised. In 2013, Anthem paid a $1.7 million fine after the U.S. Department of Health and Human Services Office of Civil Rights found that the company had violated data protection provisions of the Health Insurance Portability and Accountability Act.

The lawsuit also cites a September 2013 audit by the HHS inspector general that warned that Anthem had prevented testing of an element of its database that could create “a potential gateway for malicious virus and hacking activity that could lead to data breaches.”

The lawsuit also alleges that Anthem failed to encrypt sensitive information, continued to use Social Security numbers as customer identifiers after other insurance companies had abandoned that practice, and kept old customer records around longer than needed.

Anthem “failed to notify potentially affected customers for several weeks, and in some cases months,” which left them vulnerable to filing of fraudulent tax returns, the lawsuit alleges.

“We do not comment on pending litigation,” said Manning, the Anthem spokesman.

The lawsuit claims Anthem violated its contractual obligations and consumer protection laws in 27 states including Vermont, data breach statutes in 18 states including New Hampshire, and some state insurance and privacy laws. Multiple claims from 114 separate lawsuits have been organized into 13 different counts in the consolidated proceeding in San Jose.

In November, Anthem and other defendants filed broad motions to dismiss selected claims in the lawsuit. On Feb. 14, a federal judge dismissed those claims against BCBS of Vermont and some defendants and some, but not all, claims against other defendants, which include Anthem affiliates as well as other participants in the Blue Cross network.

Rick Jurgens can be reached at rjurgens@vnews.com or 603-727-3229.

Valley News

24 Interchange Drive
West Lebanon, NH 03784


© 2019 Valley News
Terms & Conditions - Privacy Policy