Last week health insurance giant Anthem Inc. said hackers had breached its computer system and that the personal information of tens of millions of customers and employees was possibly at risk.
The attack on the nation’s second-largest health insurer could be one of the largest data breaches in the healthcare industry, experts said. Anthem said hackers infiltrated a database containing records on as many as 80 million people.
Hackers appear to have accessed customers’ names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, email addresses and employment information, Anthem said. Some of the customer data may also include details on their income.
At this point, it appears that the data stolen do not include medical information or credit card numbers, according to the company. But, privacy advocates said the Anthem hack may pose even greater risks to consumers than previous breaches at big retailers such as Home Depot and Target.
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse in San Diego, said the wide array of personal information taken opens up more possibilities for mischief. “You essentially have the keys to the kingdom to commit any type of identity theft,” Stephens said. “The information can be used not only to establish new credit accounts but also potentially penetrate existing accounts at financial institutions or a stock brokerage. The scope of the information involved is incredible.”
Anthem has more than 37 million members in California and 13 other states. But the company warned that it also had information in its database on other Blue Cross Blue Shield patients from all 50 states who had sought care in its coverage area.
Anthem is the latest organization to be hit by a large-scale data breach. Major retailers, including Target, Home Depot, Michaels and Neiman Marcus have all suffered hacks recently.
The wave of cyber attacks, including the recent hacking at Sony Pictures Entertainment, spurred President Obama during his State of the Union address to urge Congress to pass legislation to fight cyber attacks and identity theft.
The FBI, which is investigating the Anthem breach, complimented the company’s quick response to the hack. “Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances,” a statement from the FBI said. “Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”
“For individuals, in a few words, it is a nightmare,” he said. “If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes.”
What can I do to protect myself?
Although Anthem said it appears no credit card data were stolen, the litany of personal information accessed exposes customers to identify theft. Customers should monitor their debit and credit card accounts and report any suspicious activity immediately, security experts said.
Expert Tony Anscombe of AVG Technologies advised people to watch for emails that look like they came from Anthem and not to click on suspicious-looking links. “If in doubt contact Anthem to ensure it’s an official communication,” he said.
He also advised customers to monitor their credit reports to ensure someone isn’t taking out a line of credit using their identity. Customers should also change their email and password combination on any online accounts, if they were the same ones used with Anthem, he said.
The hack “is a very different issue compared to breaches at Target and Home Depot. Stealing medical IDs, Social Security numbers, and addresses poses a much larger risk of identity theft since these details can be used to act and behave as the customer,” Anscombe said.
The publicity surrounding the breach, which exposed information on about 80 million people, is already generating phishing email scams, in which criminals posing as legitimate businesses try to persuade people to sign up for bogus credit protection services and provide personal information about themselves.
The key is the hackers’ motive. While they could be preparing to sell the information on the black market, they may also be searching for intelligence on government officials or senior executives who mask their personal information, but tend to provide real names and real numbers when dealing with health-related matters.
Medical identity theft is on the rise, experts say, because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert said that at one auction a patient medical record sold for $251, while credit card records were selling for 33 cents.
After the large data breaches at major retailers like Target and Home Depot, the black market for credit cards has been flooded. And after the bank becomes aware of the theft, those cards are usually canceled quickly.
In contrast, patient medical records typically include information not easily destroyed, including date of birth, Social Security numbers and even physical characteristics that make them more useful for things like identity theft, creation of visas or insurance fraud by falsely billing for expensive medical or dental procedures that were either never done or performed on someone else. Some criminals have also tried a form of so-called ransom ware in which they threaten to reveal medical information unless they are paid.
From the Federal Trade Commission
What should I do if I think my information is compromised?
Place a Fraud Alert
Ask 1 of the 3 credit reporting companies to put a fraud alert on your credit report. They must tell the other 2 companies. An initial fraud alert can make it harder for an identity thief to open more accounts in your name. The alert lasts 90 days but you can renew it.
Why Place an Initial Fraud Alert
Three national credit reporting companies keep records of your credit history. If someone has misused your personal or financial information, call 1 of the companies and ask for an initial fraud alert on your credit report. A fraud alert is free. You must provide proof of your identity. The company you call must tell the other companies about your alert.
An initial fraud alert can make it harder for an identity thief to open more accounts in your name. When you have an alert on your report, a business must verify your identity before it issues credit, so it may try to contact you. The initial alert stays on your report for at least 90 days. You can renew it after 90 days. It allows you to order one free copy of your credit report from each of the three credit reporting companies. Be sure the credit reporting companies have your current contact information so they can get in touch with you.
Identity theft happens when someone steals your personal information and uses it without your permission. It’s a serious crime that can wreak havoc with your finances, credit history, and reputation — and can take time, money, and patience to resolve.
Placing both extended fraud alerts and credit freezes on your credit reports can make it more difficult for an identity thief to open new accounts in your name.
Tax-Related Identity Theft
An identity thief may use your Social Security number to get a tax refund or a job. Contact the IRS if they send you a notice saying their records show:
• You were paid by an employer you don’t know
• More than one tax return was filed using your Social Security number
Uncovering Tax-Related Identity Theft
The IRS uses your Social Security Number (SSN) to make sure your filing is accurate and complete, and that you get any refund you are due. Identity theft can affect how your tax return is processed. An unexpected notice or letter from the IRS could alert you that someone else is using your SSN, however, the IRS doesn’t start contact with a taxpayer by sending an email, text or social media message that asks for personal or financial information. If you get an email that claims to be from the IRS, do not reply or click on any links. Instead, forward it to firstname.lastname@example.org.
If someone uses your SSN to file for a tax refund before you do, the IRS might think you already filed and got your refund. When you file your return later, IRS records will show the first filing and refund, and you’ll get a notice or letter from the IRS saying more than one return was filed for you.
If someone uses your SSN to get a job, the employer may report that person’s income to the IRS using your SSN. When you file your tax return, you won’t include those earnings. IRS records will show you failed to report all your income. The agency will send you a notice or letter saying you got wages but didn’t report them. The IRS doesn’t know those wages were reported by an employer you don’t know.
Dealing With Tax-Related Identity Theft
If you think someone used your SSN for a tax refund or a job — or the IRS sends you a notice or letter indicating a problem — contact the IRS immediately. Specialists will work with you to get your tax return filed, get you any refund you are due, and protect your IRS account from identity thieves in the future.
From an article on Creditsesame.com blog
‘5 Steps to take immediately if you’ve been a victim of identity theft’
Identity theft has topped the list of consumer complaints filed with the FTC for 13 consecutive years and there’s no evidence that this year it won’t make the list for the 14th. Just how many victims of identity theft are there each year? While we don’t yet have the figures for 2013, a Javeline report puts the numbers from 2012 at 12.6 million. Factor in the more than 70 million Americans impacted by the recent Target and Niemen Marcus data breaches, and it’s clear why identity theft is a major concern for many Americans.
Identity theft takes many forms. Some of the most common include:
• Credit card fraud
• False applications for new credit
• Fraudulent withdrawals from a bank account
• Fraudulent use of telephone calling cards
• Fraudulent use of an IP address in order to engage in illegal acts online
• Fraudulent use of medical care
• Social security fraud (for tax and employment fraud)
If you know or suspect that you are the victim of identity theft, there are steps you should take immediately to stop the theft and minimize the damage.
1. Put a Fraud Alert on Your Credit Reports
A fraud alert puts a red flag on your credit report and notifies lenders and creditors that they should take extra steps to verify your identity before extending credit. To place a 90-day fraud alert on all three of your credit reports, you only need to contact one of the three credit reporting agencies (Experian, Equifax, or TransUnion). When you place the initial alert, they will automatically notify the other two agencies for you.
Another option—and a more effective identity theft prevention measure—is to place a security freeze on each of your credit reports. A freeze prevents creditors (except those with whom you already do business) from accessing your credit report(s) at all. New applications will automatically be declined. With a security freeze in place, you will need to take extra steps if you wish to apply for new credit. Each agency has a procedure for temporarily “thawing” your file in order to allow a legitimate application to be processed and unlike a fraud alert, you’ll need to contact each agency individually to place a freeze on each of your reports. See more information about security freezes here: Experian, Equifax and TransUnion.
When you place a fraud alert on your credit reports, you’re entitled to a free copy of your credit report from each of the three agencies. Be sure to obtain them. If you find fraudulent items on your credit report(s), the simplest way to begin the dispute process is to click the item while viewing your credit report online. Some items must be disputed in writing and with supporting documentation. Hard inquiries cannot be disputed, but may give you a clue as to where a thief has applied for credit in your name.
Initial fraud alerts are free and remain in place for 90 days. In some cases, security freezes and extended fraud alerts incur a small fee, but these services are free to victims of identity theft.
2. Contact Any Institution Directly Affected
For example, if you know your credit card was stolen, report the theft to the credit card issuer. If your checkbook was stolen, contact your bank.
For this step it’s really helpful if you’ve prepared a list of institutions and phone numbers in advance. You don’t have to write account numbers down on the list – that would be just one more way for a thief to gain access to your personal information. But do keep a list of what’s in your wallet, along with the contact information for each item.
3. Contact the Federal Trade Commission (FTC)
File an Identity Theft Affidavit and create an Identity Theft Report. You can file your report online, by phone (toll-free): 1-877-ID THEFT (877-438-4338); TDD (toll-free): 1-866-653-4261, or by mail — 600 Pennsylvania Ave., Washington DC 20580.
The FTC will provide you with information about what to do next, depending on what type of fraud was (or may have been) committed.
4. File a Police Report
To complete the Identity Theft Report, you’ll need to contact your local law enforcement office and report the theft. Be sure to get a copy of the police report and/or the report number. Both your police report and the FTC Identity Theft Affidavit combine to create your Identity Theft Report. Your Identity Theft Report will help you when working with the credit reporting agencies or any other companies the identity thief may have used to open accounts in your name.
5. Protect Your Social Security Number
If your social security number was or may have been compromised, contact the Social Security Administration (800-269-0271) and the Internal Revenue Service (800-829-0433).
It’s important to talk to the SSA if you have reason to believe your social security number has been compromised, even if you don’t yet see any evidence of financial fraud. A thief could be planning to swipe your tax refund, or to obtain employment in your name.
In addition to these five steps, if you have reason to believe the identity thief may have submitted a fraudulent change-of-address to the post office or has used the U.S. mail to commit the fraud against you, contact the Postal Inspection Service, which is the law enforcement and security branch of the post office.
This list is not exhaustive. These are only some of the first few steps. Indeed, clearing the wreckage of identity theft can be a laborious and complex process. For more information about how to prevent or recover from identity theft, the U.S. Department of Justice and the Federal Trade Commission offer a wealth of information and will walk you through the steps.