Q: I keep hearing about Anthem being a hacking target. What happened and am I at risk?
A: Anthem Inc., the second-largest health insurer in America, was targeted in a major security breach over the last month. New reports suggest hackers have been trying to compromise the company’s systems for months and may have been inside their system since December. According to the company, 80 million Anthem customers may have had their names, Social Security numbers and addresses compromised.
This is a unique event in the recent history of cybersecurity. Previous hacks, like those affecting Home Depot or Target, were attacking hardware. Hackers were exploiting vulnerabilities in computer hardware and software to gain access to confidential data. Here, the company is reporting that hackers had a different target: company employees.
Anthem reports that, beginning in December, hackers acquired login credentials of five employees. The employees could have been victimized by malware or social engineering scams. The hackers trying to beat Anthem didn’t need to find a flaw in the computer infrastructure. Instead, they just had to find a weakness in the people operating those systems.
Once they had these credentials, hackers used their access to do two things. First, they breached the company databases. Once inside, they exposed addresses, dates of birth, employment history, employment information, income data, medical ID’s, names and Social Security numbers. Particularly noteworthy is the fact that payment information was not compromised. That means there’s no need to cancel credit cards that were used to pay Anthem bills yet. Second, hackers created a number of phony email accounts with Anthem domains.
There are two ways victims might be affected by this scam. First, they might have their personal information stolen. This group exclusively consists of current and former Anthem customers. Given the timing of the hack, this will likely result in a fraudulent tax returns and possibly other instances of identity theft.
The second wave of victims is only just now emerging. The fake email accounts have been used to send wave after wave of “phishing” attacks to Anthem customers. These attacks take the form of an email apology with an offer for a year of free credit monitoring. Recipients of the email are redirected to another website to enter their Social Security number and other personally identifying information. This information is then used to commit any of a smorgasboard of identity theft crimes.
Anthem is currently being sued in several states. One lawsuit alleges current and former Anthem subscribers were misled about the security of their personal information and is seeking unspecified damages from the provider in overpaid premiums. Another pending lawsuit is seeking damages resulting from the frauds themselves. Until these lawsuits are settled, Anthem will likely not make any public statement of responsibility or apology, as this could be viewed by the courts as an admission of guilt. At this time, Anthem is offering no free credit monitoring service nor has it made any statement to members outside the press.
If you’re an Anthem subscriber, there are a few steps you should take as soon as possible. To find out if you’re an Anthem subscriber, check your insurance card. If you’re part of a group plan at work, you may need to ask your HR representative if your plan is administered through Anthem. In the meantime, take these three steps.
1.) File your taxes.
This will be one way to check if your Social Security number has been compromised. The state of Connecticut is encouraging their citizens to file early if they’re Anthem customers so hackers using stolen Social Security numbers will be easier to detect.
2.) Put a fraud alert on your credit report.
Contact any one of the three major reporting bureaus (Experian, Equifax, or Transunion) and explain your worries. A fraud report on one account will create a fraud report on all three, so there’s no need to duplicate your efforts. This report will notify you if anyone attempts to open an account in your name during the next 90 days. If you’re absolutely sure your number has been compromised, it might be worth putting a freeze on your credit history. This will prevent anyone from checking your credit or from opening up any account in your name, including you. While drastic, this measure is a sure-fire way to keep yourself safe.
3.) Get proactive with government services.
Notify the Social Security Administration and the Internal Revenue Service of the possible fraud to ensure that no one attempts to file a change of address form in your name. The US Postal Service also maintains a similar service. These steps will ensure that you’ll at least get a paper trail if someone makes an attempt to steal your identity.
Anthem is maintaining a toll-free question line. Customers with concerns or fears should call 877-263-7995. They have also created a website – www.AthemFacts.com – with up-to-date information about he scope and severity of the breach. They have made it clear that future contact with customers affected by the breach will be made by mail.