California Insurance Commissioner Dave Jones has launched an investigation into the Anthem Blue Cross security breach that allowed online hackers to steal personal data from 80 million individuals –believed to be the largest-ever cyberattack on the insurance industry.
The insurer, based in Thousand Oaks and owned by Anthem Inc., of Indianapolis, is California’s largest for-profit health insurer. It has about 8 million members in the state. The identity theft exposed the data of current and former members as well as employees.
“We are working with other regulators and conducting a review to confirm that the company takes the appropriate steps to protect and assist consumers and guard against future breaches,” Jones said in a statement.
He directed his staff to coordinate with other California regulatory agencies and with regulators in states where Anthem insurance companies are licensed to operate.
An initial investigation points to Chinese hackers as the likely culprits in the breach that may have begun as early as Dec. 10, the Los Angeles Times reported. There are similarities between this attack and one that targeted 4.5 million patients at a Tennessee-based hospital chain last year: In both cases, Social Security numbers, employment and income information and other identifying data was stolen, but credit card numbers and medical records were not taken.
Anthem is sending emails to its customers warning them about scam artists who may use news of the breach to commit further identity theft via phone calls or emails. It informs people that the company does not ask for personal information online or over the telephone, and instructs them not to give out credit card or Social Security numbers, click on links or open attachments in emails.
In the wake of the hack, two consumer groups renewed their concerns about the need for tightened privacy protections in the Cal INDEX, a statewide health information exchange created last year by Anthem Blue Cross and Blue Shield of California. They want patients to be required to opt-in to the database, rather than having their data automatically added unless they opt-out.
In a letter, Carmen Balber, executive director of Santa Monica-based Consumer Watchdog and Deborah C. Peel, founder of Patient Privacy Rights of Austin, Tex., warned: “The Anthem hack makes clear that no company can guarantee their customers’ information will be protected. Without that guarantee, consumers must have the ability to prevent their information from being shared before it occurs.”
Anthem has had prior security breaches and data lapses. In 2013, the company, then known as Wellpoint Inc., paid a $1.7 million penalty to settle allegations that it left the health information of more than 600,000 people online from October 2009 to March 2010.
Anthem will offer credit monitoring and identity theft protection free of charge to those affected by the crime, Anthem Chief Executive Joseph Swedish wrote in a statement posted earlier this week on a website dedicated to the breach – http://www.anthemfacts.com.