Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
AGs: Anthem Breach Notification Too Slow
Insurer Says Victims Will Get Two Years of ID Theft ProtectionTen state attorneys general have written to Anthem Inc. to "express alarm" that the nation's second largest health insurer has not yet communicated with those affected by its recent data breach, which was disclosed Feb. 4 and may have affected as many as 80 million individuals.
See Also: Ransomware Intelligence Briefing: Key Insights for the C-Level
But the health insurer tells Information Security Media Group that it will post information online by Feb. 13 on how those affected by the breach can apply for two years' worth of free identity theft protection and credit monitoring services while it continues efforts to identify the millions affected.
The attorneys general letter, dated Feb. 10, was written "to express our alarm at the failure of the company to communicate with affected individuals and, in particular, to provide them details about the protections the company will make available and how to access those protections," writes George Jepsen, Connecticut's attorney general.
"The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers," the letter continues. "We are also concerned that delays in providing protections to the victims of this breach compound the risk they face."
In the letter, Jepsen commends Anthem for the relative speed at which it disclosed the breach. "On or about the same date that Anthem announced the breach ... the company assured me and others that free credit monitoring and identity theft protections would be afforded to those impacted by the breach," he says. But since that time, few follow-up details have been provided, he adds.
Jepsen sent the letter on behalf of state attorneys general of Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.
Earlier, the National Association of Insurance Commissioners announced plans to launch a multistate examination of Anthem, in addition to several state attorneys general initiating their own investigations (see: State Authorities Probe Anthem Hack).
Anthem's Response
In a statement provided to Information Security Media Group on Feb. 11, Anthem says it is "committed to timely notification to consumers affected by the cyber-attack on one of our databases."
"Since the attack was discovered, we have been working with a vendor that is quickly making the necessary preparations to provide credit monitoring and identity theft protection services to the millions of people potentially affected by this attack," Anthem says. "We have laid out a thoughtful plan with this vendor so that they can accommodate what we anticipate will be very high demand for these services. Our goal is to provide peace of mind to consumers, while minimizing frustration."
Anthem says information on how to enroll in identity theft protection and credit monitoring services will be posted at anthemfacts.com on Feb. 13.
The insurer reports that it's still attempting to determine who was affected by the cyber-attack so that it can begin mailing notification letters as soon as possible.
"Starting Friday, consumers will be able to enroll in ID theft protection and credit monitoring," says Tony Felts, a spokesperson for Anthem. "They won't have to wait for a notification letter to arrive in the mail. These services are being made available 11 days after the breach was discovered, a much faster timeline than some other high-profile data breaches."
Anthem's delay in communicating to those affected by the breach shows the insurer "does not seem to be considering the impact" on its customers, says privacy and security consultant Rebecca Herold. "But, if they are looking at the letter of the law, it is probably staying within what is legally required."
Warning to Consumers
In the aftermath of the Anthem breach, the Connecticut Department of Revenue Services is advising taxpayers who may have been affected by the cyber-attack, and who are expecting federal or state income tax refunds, to file their tax returns as soon as possible.
"The personally identifiable information apparently hacked at Anthem is exactly what tax fraud thieves use to make false refund claims that appear to be legitimate," says Commissioner Kevin Sullivan. "They will try to file and steal the refund before the real taxpayer has a chance. Then the taxpayer will be denied the refund and it can take years to resolve the problem."