Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Anthem Offers Services to Breach Victims
Providing Credit Monitoring, ID Theft InsuranceNine days after revealing that hackers gained access to personal data for millions of its current and former customers, health insurer Anthem Inc. on Feb. 13 began offering breach victims two years of free credit monitoring and identity theft insurance, plus "identity repair assistance."
See Also: Ransomware Intelligence Briefing: Key Insights for the C-Level
In a statement on a website Anthem set up to relay information about the breach, the company says affected individuals could begin to sign up at 2 p.m. ET on Feb. 13 for the free services being provided by AllClear ID.
The coverage is being offered "to current or former members of an affected Anthem plan or other independent Blue Cross and Blue Shield plans dating back to 2004," Anthem says. As many as 80 million individuals may have been affected by the breach, according to multiple news reports.
"AllClear ID is ready and standing by to assist you if you need identity repair assistance. This service is automatically available to you with no enrollment required. If a problem arises ... a dedicated investigator will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition," the Anthem statement says.
"For additional protection, and at no cost, you may also enroll in the AllClear PRO service at any time during the 24-month coverage period." The AllClear PRO service offers "additional layers of protection, including credit monitoring and a $1 million identity theft insurance policy," Anthem says.
Investigation Continues
The availability of the free services comes as Anthem continues to investigate the breach and prepares to send notification letters to millions of individuals affected in many states.
The attorneys general of 10 states sent a letter to Anthem on Feb. 10, complaining that the company was too slow to communicate with affected individuals and, in particular, to provide them details about the protections the company will make available and how to access those protections. Anthem's statement on Feb. 13 provides some of the information that the AGs were seeking, including the services offered to breach victims.
Attorney Marc Voses, a partner at law firm Kaufman Dolowich & Voluck LLP, says the timing of Anthem's post-breach offerings to victims needs to viewed in the context of the actions of other companies after huge breaches.
"Anthem notified customers of the data breach on Feb. 4, and about a week later, offered two years of credit monitoring [and other services]. In comparison, Home Depot announced it was investigating a data breach on Sept. 2, 2014, and six days later, notified customers that a breach had in fact occurred and offered credit monitoring that same day. On the other hand, word of the Target data breach came out in mid-December 2013, which was confirmed by the company on or about Dec. 20. Target subsequently offered one year of credit monitoring about three weeks later, starting around Jan. 13, 2014,"
Timely Notification?
As to the state AGs' complaints about how Anthem is communicating to victims of breach, Voses says: "In my opinion, it is too early to pass judgment. Anthem provided a timely notification of the data breach. There are many factors that go into the detecting, containing, and investigating a data breach that many people simply do not understand. While the frustration level of those potentially affected is understandably high, those tensions are only increased if a company rushes to provide notification of a breach with information that needs to be repeatedly revised."
Security and privacy expert Rebecca Herold, CEO of The Privacy Professor, says the enormous total of potentially affected individuals, and the fact that some affected data is more than 10 years old, is likely making the job of notification more difficult.
And because Anthem is also working with the FBI in the investigation, "they may have also been advised to not give notification yet during the investigation," Herold says
'More Generous' Offerings
Anthem's offer of two years of free credit monitoring and ID theft insurance, plus "identity repair assistance," is more generous than what's often offered by other companies following big breaches. For example, Home Depot and Target both offered 12 months of credit monitoring, Voses notes.
The insurer has said that impacted information did not include credit card numbers or medical diagnoses. But the hack did expose names, dates of birth, Social Security numbers, healthcare ID numbers, home addresses, e-mail addresses and employment information, including income data.
In its Feb. 13 statement, Anthem says in addition to current or former members of one of Anthem's affiliated health plans potentially being impacted by the breach, "some members of other independent Blue Cross and Blue Shield plans who received healthcare services in any of the areas that Anthem serves over the last 10 years also may be impacted."
Anthem offering credit protections for members going back as far as 2004 doesn't come as a shock to some experts, based on the number of individual potentially affected.
"Most organizations I've reviewed, audited, done work for... throughout the years indicate that typically once data is collected or generated and put into storage, it stays there basically forever," Herold says. "And as storage becomes less expensive, more and more data is piling up within the repositories. Actually it wouldn't surprise me if the data was even older than this."
The HIPAA Privacy Rule does not regulate when covered entities must purge medical records, Voses notes. "However, many states' laws do govern the minimum amount of time that records should be retained."
The older data may also make it more difficult to locate some of the affected individuals, since information Anthem has, including mailing addresses, might be outdated for many. "A large number of victims will now be located elsewhere, and very possibly the timeframe for forwarding mail by the U.S. Postal Service will have passed," Herold says. "This makes it important to provide notification in more than one way."