As many as 8.8 million customers and 18.8 million non-customers were affected by the massive cyberattack suffered earlier this month by Anthem Inc., the health insurer reported Wednesday. It is the first time Anthem has disclosed specific numbers related to the breach, originally believed to have affected 80 million customers.
Anthem, as part of a national network of Blue Cross Blue Shield plans, was connected to a database of BCBS customers nationwide, accounting for the significant number of victims who were not direct customers of the insurer.
These estimates quantify the victims whose records were stolen, rather than simply accessed in the breach, Anthem said. Affected information likely includes names, dates of birth, member IB/Social Security numbers, addresses, phone numbers, email addresses and employment information.
The carrier plans to start mailing letters to its customers, as well as to the affected BCBS customers, by next week. It will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection as recompense, a Reuters report said.
The breach is the first of its size and scale to affect an insurance company, though the industry has long been anticipating the eventuality of an attack, says Adam Hamm, North Dakota insurance commissioner and head of a new cybersecurity taskforce with the National Association of Insurance Commissioners.
“I think all insurance commissioners knew it was only a matter of time before a major insurer had a breach,” said Hamm, who leads NAIC’s Cybersecurity (EX) Task Force. “The fact that it happened immediately after the taskforce was named and populated only highlighted how important these issues are and how much of a need there is for us to have our arms completely around this.”
Insurance departments in seven states are leading an investigation of the breach, the results of which Hamm says will be incorporated into the taskforce's work activities for the coming year. Among other activities, the group hopes to develop a consumer bill of rights that would unify standards for how insurance companies safeguard consumer data and respond to any breaches.
Anthem has policyholders in 14 states, with hundreds of thousands reported affected in Iowa, Delaware, Pennsylvania, North Dakota and Connecticut, among other states.
