Security experts knew it was not a matter of whether a major breach would occur in the health-care industry, but when. And they knew it could entail reams of valuable personal data.
Health insurer Anthem Inc. on Thursday attempted to calm fears after announcing late Wednesday that as many as 80 million current and former policy holders may have had their personal information stolen in what is thought to be the largest health-care data breach to date.
While the company said no personal medical data or credit card information had been compromised, the type of information stolen in the breach — including names, birth dates, social security numbers, addresses, member IDs — could represent a treasure trove to cyber-thieves, experts said.
The company, government officials, and privacy experts urged consumers to take steps to protect themselves: Such steps include signing up for free identity theft protection Anthem is offering and remaining vigilant about their financial and insurance information.
"The general direction we are giving people is, if you have one of those cards, assume you were probably in the data set," said Thomas Miller, Anthem's chief information officer. "At least you know that this compromise has happened. ... We will let you know as soon as we know more."
At this point, it is too early to tell how many people were affected and just who were victims of the breach, Miller said. Nor does Anthem know how far back the records go, though the pool likely includes people now deceased.
'Mass victimization'
"This is absolutely the worst kind of data breach, because thieves have stolen the information that's the most valuable, the most dangerous and impossible to change or cancel," said Neal O'Farrell, Credit Sesame's security and identity theft expert in an email. "This is mass victimization of the worst kind."
A website Anthem set up to answer questions and concerns, www.anthemfacts.com, had received more than 265,000 hits by the middle of the day on Thursday.
And an Indianapolis lawyer filed a class-action lawsuit in U.S. District Court against the nation's second-largest insurer, after fielding numerous calls from irate policy holders.
"Anthem needs to get its act together. It needs to protect people's data and it needs to provide whatever remedies are allowed by law," said attorney Irwin Levin of the firm Cohen & Malad.
But Anthem officials said that they have gone above and beyond in letting people know about the breach. Other companies could have spent months gathering information before going public with the news that information may have been stolen. Instead, Anthem went public within a week of learning about rogue activity in the company's computer system, Miller said.
Bloomberg News reported Thursday that Chinese hackers may have been behind the theft.
The company had extensive plans in place to protect its information, Miller added. In the past four years, Anthem has doubled the amount of money it spends on cyber-security. The company has almost 200 security specialists on staff.
"The industry is certainly a target and we know that," Miller said. "You always sit there, wondering could we have done anything different. Our security capabilities are certainly on par with the industry, if not better."
Casualty of doing business
Privacy expert Rick Kam, president and co-founder of the Portland, Ore.-based company ID Experts, agreed that there's only so much companies like Anthem can do to protect their data. Security breaches are just part of doing business, he said, just like toxic and hazardous waste is an unpleasant byproduct of the Industrial Age.
"It's just the age we live in; there's information everywhere," Kam said. "So, all of us just have to be more vigilant."
Others, however, say the onus lies on the industry to ensure that the precious personal information required to access health care is adequately protected.
The widespread adoption of electronic health records in recent years has, if anything, increased the potential for misuse of that data.
Last August, Community Health Systems, a Tennessee-based hospital chain, announced that Chinese hackers had stolen non-medical data from 4.5 million patients. In 2010, Wellpoint, which had been bought by Anthem in 2004, announced that the credit card information and medical records of about half a million policy holders had been stolen.
A PriceWaterhouseCoopers study found information security incidents rose by 60 percent in the health-care industry in 2014.
Numerous tools exist that companies can deploy and this episode brings home the need for better protective measures, said Benn Konsynski, George S. Craft professor of information systems and operations management at Emory University's Goizueta Business School.
"The scale is enormous. I am sort of bewildered that we still have this magnitude of exposure," he said. "It certainly is the third or the fourth wake-up call to the market. ... (It) is incumbent on firms like that to go the extra mile to make sure that exposure is prevented or minimized in those processes."
Long-term ill effects
The type of information that the hackers have accessed could create problems for those affected for years to come, experts say.
Such information can be sold on the black market to open the door to a range of identity theft schemes. For instance, criminals have all the information they need to submit fraudulent tax returns, Kam said. Victims might not realize they have been affected until they try to process their returns.
Or, a person could use the information to engage in medical identity fraud, said Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance. Consumers need to carefully review all explanations of benefits they received from insurers to make sure that they have not been the victim of medical identity theft.
Medical identity theft could inadvertently result in harm to the victim, Patterson added. For instance, if the perpetrator does not share the same blood type as the victim, a person could receive a dangerous transfusion.
And unlike credit card fraud, this episode may affect not just individuals but entire families.
Greenwood resident John Sickmeier takes pains not to give out his or his five children's Social Security numbers. Whenever asked for this data on a form, he jots down a note, "Call for number." That way, he said, he restricts how many people have access to this information.
The Anthem breach, which could include his children's Social Security numbers, could haunt them for years to come, he said.
"What was stolen was far more threatening and egregious. It's everything that a thief would need to steal one's identity," Sickmeier said. "This could very well be a lifelong battle either for myself or any of my children."
Star reporter Tim Evans contributed to this report.
Call Star reporter Shari Rudavsky at (317) 444-6354. Follow her on Twitter: @srudavsky.
To learn more
Anthem has established a website, www.anthemfacts.com, where members can access information about the breach. There is also a toll-free number for current and former members to call, (877) 263-7995.
— Associated Press
Join the Conversation
To find out more about Facebook commenting please read the Conversation Guidelines and FAQs