NEW YORK (NBC NEWS) – The data breach of the second-largest U.S. health insurer may actually impact a lot of people who aren’t even customers.
8.8 to 18.8 million non-Anthem customers may be at risk, according to a statement from Anthem Tuesday night.
Anthem is part of a national network of independently run Blue Cross Blue Shield plans. Those Blue Cross Blue Shield customers are potentially affected because their records may be included in the anthem database that was hacked.
Below is a statement from Anthem spokeswoman Kristin Binns:
On January 29, 2015, Anthem, Inc. (Anthem) discovered that it was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and obtained personal information from consumers who are current and former members of Anthem’s associated health plans, as well as information from consumers covered by other independent Blue Cross and Blue Shield plans working with Anthem.
Anthem’s initial analysis indicates that approximately 78.8M consumers may have been impacted by this cyber attack (meaning, their information could have been viewed by hackers who had accessed our database. This number does NOT equate to member records/data that was extracted or stolen from the database. The analysis of that number is still underway and based on our investigation; we anticipate that number to be less than the total number of consumers’ whose data could have been viewed.) Approximately 60-70M of these consumers represent current or former Anthem members. The remainder includes current and former NON-Anthem Blue Cross Blue Shield members who used their Blue Cross and Blue Shield insurance in a state where Anthem operates over the last 10 years.
Despite our best efforts to attribute all members to a group, product or plan, a subset of unknown members still exists. Our analysis has identified approximately 14 million incomplete member records as of February 20, 2015. It is important to note that there is a very low likelihood that these incomplete member records tie to current, active Anthem members.
Unknown members are those that lack the necessary data elements to link a member back to a product, group or line of business (i.e. member records created by legacy systems or conversions, claims received without member information, member records sent from a third-party source, member records missing subscriber IDs or product coverage, etc.). A combination of data fields are required to accurately perform member assignment. When not enough fields are present, member assignment cannot be positively confirmed and the member record can only be categorized as incomplete.
While Anthem is not able to match incomplete records to a specific member, it does have valid mailing addresses for some of these records. Anthem will distribute member notifications to the valid address on file as part of its effort to notify every potentially impacted member. In addition, Anthem will use substitute notices on its website and in other locations to ensure information about free credit monitoring and identify theft repair services are available to all potentially impacted members.
Anthem’s investigation shows the personal information accessed includes member names, member health ID numbers, dates of birth, social security numbers, addresses, phone numbers, email addresses and employment information, including income data. The investigation to date shows no credit card information, banking information or confidential health information was compromised.
Free identity protection services will be provided by Anthem’s vendor AllClear ID – a leading and trusted identity protection provider. Those impacted can access these services prior to receiving a mailed notification from Anthem, which will be sent in the coming weeks. Members may access these services at any time during the 24 month coverage period. Visit AnthemFacts.com to learn how to access these services. Members may also access identity repair services by calling 877-263-7995.
The free identity protection services provided by Anthem include two years of:
Identity Theft Repair Assistance: Should a member experience fraud, an investigator will do the work to recover financial losses, restore the member’s credit, and ensure the member’s identity is returned to its proper condition. This assistance will cover any fraud that has occurred since the incident first began.
Credit Monitoring: At no cost, members may also enroll in additional protections, including credit monitoring. Credit monitoring alerts consumers when banks and creditors use their identity to open new credit accounts.
Child Identity Protection: Child-specific identity protection services will also be offered to any members with children insured through their Anthem plan.
Identity theft insurance: For individuals who enroll, the company has arranged for $1,000,000 in identity theft insurance, where allowed by law.
Identity theft monitoring/fraud detection: For members who enroll, data such as credit card numbers, social security numbers and emails will be scanned against aggregated data sources maintained by top security researchers that contain stolen and compromised individual data, in order to look for any indication that the members’ data has been compromised.
Phone Alerts: Individuals who register for this service and provide their contact information will receive an alert when there is a notification from a credit bureau, or when it appears from identity theft monitoring activities that the individual’s identity may be compromised.
Anthem has established a dedicated website where members can access information, including frequent questions and answers.
Copyright 2015 NBC News