Reports: Anthem Hack Breached Past Customer DataThursday, February 12, 2015
The data breach at Anthem Inc. was broader than initially thought and could affect customers as far back as 2004, according to media reports on Thursday.
The Indianapolis insurer, which has 37 million current clients nationwide, was hit by hackers who compromised databases containing Social Security numbers, birth dates and other personal information of up to 80 million people.
Its Anthem Blue Cross subsidiary in Thousand Oaks is California's largest for-profit health insurer and serves 8 million state residents.
Reports in the Los Angeles Times and Ventura County Star on Thursday said the company now believes the hackers had access to personal data of customers dating to 2004.
Anthem said in a statement it plans to offer free identity theft protection and credit monitoring for two years starting Friday through its anthemfacts.com website. Previously, the company had offered one year of protection.
“Anthem is committed to timely notification to consumers affected by the cyber-attack on one of our databases,” the statement said. “Our goal is to provide peace of mind to consumers, while minimizing frustration.”
The company is continuing to investigate the breach, and California Insurance Commissioner Dave Jones has launched an investigation. Anthem has issued a warning to consumers to beware of scams, such as emails that appear to originate from Anthem and ask for personal information. Also, company plans to hold a "Town Hall webcast" on Tuesday, Feb. 17, to explain the hack and its consequences, and all current or former policyholders may participate.
The Anthem hack is among the largest data breaches in history. By comparison, a breach of Target Corp. in late 2013 compromised credit card information of 40 million customers, while a hack last summer at JPMorgan Chase & Co. left vulnerable names, addresses, phone numbers and email addresses of 83 million account holders.
Security issues over customer data are not new to Anthem.
In 2013, the company, then known as Wellpoint Inc., paid a $1.7 million penalty to settle allegations that it left the health information of more than 600,000 people online from October 2009 to March 2010 because of security weaknesses.