Anthem Breach Put 8.8 Million Non-Customers’ Data At Risk

Following the announcement earlier this month of a massive cyberattack, Anthem has more good news to share with the American public today.  While most companies breached by computer criminals only manage to see the data of their own customers go out the door, Anthem has achieved a new level of data security failure and managed to lose to hackers the data of 8.8 million people who are not even their customers.

The nation’s second largest health insurer is part of a national network of independently run Blue Cross Blue Shield plans – which allows BCBS customers to receive medical services when they are in an area where the networks is operated by a different insurance provider.  Because those customers may be part of the database that was hacked, those Blue Cross Blue Shield (but non-Anthem) plan holders are potentially affected.

This is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.

That brings the total records to a staggering 78.8 million customers, but that number is still lower than its initial estimate of 80 million.  That figure includes 14 million incomplete records that it found. The insurance company does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, according to Anthem spokeswoman Kristin Binns.

Binns went on to note that the hacked data were restricted to personal data -names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data – but no payment information or medical data.

The company’s investigation is ongoing as Anthem tries to suss out what consumer information was actually stolen, as opposed to merely accessed.  The firm will begin mailing letters next week to Anthem customers and other Blue Cross Blue Shield members whose data may have been involved in the attack.

Security experts are becoming increasingly concerned, especially about what the Anthem breach represents.  It is becoming apparent that unlike their counterparts in retail and finance, healthcare seems to be behind the times in securing its data.  Anthem did not encrypt the hacked database at all – it saved encryption for file transfers.