If the victims of the Anthem health insurer breach weren't feeling vulnerable enough, the Federal Trade Commission is warning people that phishing scams in relation to the breach are being reported.
Scam artists "are sending phony “Anthem” emails that pretend to help customers, but actually phish for their personal information," according to a consumer education specialist with the FTC.
The scam email is designed to look as if it comes from Anthem and asks customers to click on a link for free credit monitoring. Anthem says it will contact current and former customers by postal mail with specific information on how to enroll in credit monitoring. Anthem also says it’s not calling customers about the data breach or asking for credit card information or Social Security numbers over the phone.
Anthem offers these tips if you receive a phishing email:
- DO NOT click on any links in email
- DO NOT reply to the email or reach out to the senders in any way.
- DO NOT supply any information on the website that may open, If you have clicked on a link in email.
- DO NOT open any attachments that arrive with email.
And if phishing scams weren't enough, it appears that hackers may have first gained access to former and current Anthem customers' personal information as far back as April 2014 — "nine months before the company says it discovered the intrusion," according to security expert Brian Krebs.
On Feb. 5, lawsuits were filed against the insurer in federal courts in Alabama, California and Indiana.
In California — a state that could have as many as 8 million breach victims — the suit was filed by an Anthem policyholder who argues that members "paid more than they would have" for coverage "had they known how the company would fail to properly secure and misuse their personal information." The suit alleges that "shoddy security protocols ... made [Anthem] susceptible to the massive hack," according to CaliforniaHealthline.org.
Experts said Anthem did not encrypt the consumer data it stored unlike medical information that is shared outside of its database. In addition, Anthem — like many other health care organizations — did not store personal data in separate databases that could be locked if an attack occurs, according to a report in The New York Times.
However, Anthem spokesperson Kristin Binn noted that encryption would not have prevented the recent data breach because the hacker used a system administrator's ID and password to enter the system, according to a story by the Associated Press.
This was not Anthem's first breach. The company was fined $1.7 million for a 2010 computer breach that resulted in the disclosure of personal information of approximately 612,000 people.
The fine was levied by the U.S. Department of Health and Human Services under HIPAA, the 1996 Health Insurance Portability and Accountability Act, which governs the confidentiality and security of medical information, a USA Today article reports.
At the time, Anthem was known as WellPoint. The company was formed when Anthem Insurance bought WellPoint Health Networks in 2004.
The HHS investigation found that in 2009 and 2010, WellPoint did not adequately implement policies and procedures to protect unsecured "electronic protected health information" covered by HIPAA.
The names, dates of birth, addresses, Social Security numbers, telephone numbers and health information of WellPoint customers were disclosed as a result, HHS said.
"The personally identifiable information that HIPAA-covered health plans maintain on enrollees and members — including names and Social Security Numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed," said Rachel Seeger, a senior HHS adviser, according to USA Today.
WellPoint's chief information security officer at the time of the fine imposed for the 2010 breach was Roy Mellinger. He currently holds the same role at Anthem.