After one of the biggest thefts of medical-related customer data in U.S. history, Anthem Inc. warned consumers Friday against email and phone scams seeking to take advantage of the breach.
Anthem disclosed the attack late Wednesday, saying personal information from its nearly 80 million members was exposed to unknown hackers during a period of about six weeks. It does not believe credit card or medical records were compromised.
Now the Indianapolis-based health insurer says “phishing” scams are targeting Anthem customers to get personal information using the breach as a pretense. The company also said consumers should be aware of phone calls about the cyber attack that ask people for credit card or Social Security numbers.
The health insurer said it was not notifying affected customers about the breach using email or phone, and was instead sending information via mail.
Anthem, which recently changed its name from WellPoint, runs Blue Cross Blue Shield plans in more than a dozen states, including Missouri. It is the largest insurer in Missouri and has 1.2 million members in the state.
Also on Friday, the National Association of Insurance Commissioners said it was taking steps to investigate the breach.
“We are in agreement that an immediate and comprehensive review of the company’s security must be a priority to ensure protection of consumers who are covered by Anthem,” said Monica Lindeen, association president and Montana Commissioner of Securities and Insurance, adding that the group has been in discussion with Anthem executives.
The association said Missouri, Indiana, California, Maine and New Hampshire — all of which have high numbers of Anthem customers — will take the lead in the investigation.
The breach is raising new concerns about privacy and data protection, especially when it comes to health records.
In a striking omission from federal law, insurers aren’t required to encrypt customers’ information. Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish.
Anthem has said the stolen data from the breach was not encrypted.
“Any identifying information relevant to a patient … should be encrypted,” said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information.
It should make no difference, he says, whether that information is being transmitted on the Internet or sitting in a company database, as was the case with Anthem.
The Associated Press contributed to this report.
Daily updates on the latest news in the St. Louis business community.