Tag Archives: Anthem

NY Health Provider Excellus Discloses Data Breach Dating to 2013

Excellus BlueCross BlueShield, a large health care provider in New York state, says it was hit by an attack that began in 2013 and wasn’t discovered until last month, resulting in the compromise of members’ personal information, including Social Security numbers, addresses, financial and account information. The company did not specify how many people potentially […]

Impact of Healthcare Data Breaches Goes Beyond Financial

This past week, CareFirst, a U.S. based BlueCross and BlueShield insurer with coverage in Mid-Atlantic States, revealed that 1.1 million user accounts were compromised. CareFirst is the third U.S. health insurance company to publicly acknowledge a data breach recently, following Premera Blue Cross and Anthem.  It seems relatively small potatoes compared to the Premera (11 million people) and Anthem, which acknowledged that hackers broke into a database containing personal information for about 80 million of its customers and employees. But if you’re one of the 1.1 million, it isn’t small potatoes.

It can also hit very close to home. I just discovered friends of mine were among those caught up in the Anthem hack, which also led to them being part of the income tax fraud scheme that I and my fellow blogger, Tony Anscombe, have written about previously. My friends were tipped off when a new credit card arrived that they hadn’t ordered. Shortly after, they tried to file their income taxes and found they’d already been filed –and a substantial over-payment (not based on their calculations) had already been claimed by the perpetrator.

CareFirst said that the attackers gained limited, unauthorized access to a single CareFirst database. CareFirst said the attackers didn’t get access to Social Security numbers, employment info, financial data, medical data or consumer passwords –because those are encrypted and stored in a separate system.

However, attackers could have potentially acquired members’ names, birth dates, email addresses and subscriber identification number. (You can also see the full statement from CareFirst on its website.)

The attack occurred in June 2014, two months after the insurer detected an attack that the organization thought it had contained… But the hackers had left behind hidden back doors that let them re-enter later, undetected, according to reports, by the Baltimore Sun and others.

According to CareFirst, it has run comprehensive internal security tests, and hired an outside security company for further assessment, as well. It is offering two years of free credit monitoring and identity theft protection services for those members affected. Finally, it is letting those customers know who might be compromised. (Anthem did this also, though my friend was not among those notified…)

IT security has to be a priority for all businesses, but particularly for healthcare, where the stakes are so high.  The healthcare industry needs to conduct extensive ongoing internal IT evaluations and adopt stricter policies – especially around what data they need to keep and for how long.

According to a new research by Ponemon Institute sponsored by IBM, “2015 Cost of Data Breaches Study”, data breaches in healthcare are the most expensive to remediate and only going up. The study covered 350 companies in 11 countries across 16 industries.

Consider the case of the UK-based Cottage Healthcare Systems. Hackers swiped 32,500 patient records and its customers sued Cottage for $4.1 million. Its insurance company, Columbia Casualty Company, settled the claims. But now Columbia has come back to Cottage to recoup the settlement, because it claims Cottage did not provide adequate and secure IT systems, so it wants its money back.

As consumers, we have to do more too. We need to monitor the activities on all of our accounts, financial and via our health care providers and insurance companies– and note anything that’s irregular or suspicious.

You can find some helpful information on the Federal Trade Commission (FTC) website to identify signs of medical identity theft, including these:

  • A bill for medical services you didn’t receive
  • A call from a debt collector about a medical debt you don’t owe
  • A notice from your insurer saying you reached your benefit limit or denial of insurance for a condition you don’t have.

The FTC encourages visiting IdentityTheft.gov to report incidents and get information on how to recover from identity theft.

How to detect and avoid phishing scams

As I predicted last week, the recent data breach at US insurance firm Anthem Blue Cross Blue Shield has led to a sharp increase in the number of phishing attacks pretending to be from the company.

Video

What is Phishing?

There are some simple rules you can follow to ensure that you do not fall victim to any of these phishing attacks.

In this short video you will learn how to:

  • Recognise phishing emails in your inbox
  • Check you are on a legitimate webpage
  • View security certificates to ensure sites are safe

 

For more details on phishing and how to stay safe, visit this blog post from my colleague Michael McKinnon.

Follow me on twitter @tonyatavg

Anthem ‘Medical’ Hack – What should you do?

Anthem Blue Cross Blue Shield, a medical insurance provider in the US, was subject to serious data breach that included personal information of its members past and present.

The data stolen includes names, birthdays, medical IDs/social security numbers, street address, email addresses and employment information including income data.

The type of data that has been reported to have been stolen means that this breach is potentially much more serious than most of the large data breaches we saw last year. These hacks were primarily of credit card and transaction data.

Generally, when credit card account details are taken, victims can limit the damage by stopping their card and changing their password. Credit card companies will also cover most of the liability.

The difference with this theft though is that stolen data is a lot more difficult to track than a simple financial transaction. Social security and insurance information can be used for anything from a false insurance claim to collecting prescription drugs.

If you think that this data breach may affect you then you should carefully check your next health insurance bill. Be sure to check that all the claims are indeed yours and dispute things that seem strange.

It’s important to catch the misuse of your insurance quickly before medical debt notices are issued because of unpaid bills. That could lead to credit rating issues or in the worst case, you could be refused insurance due to a condition that you don’t actually suffer from.

As a precaution here some other actions you should take, not forgetting the above one of checking medical statements:

  1. Ensure your online accounts are not using the same email password combination that you may have had stored with Anthem; change any that are the same as your Anthem details.
  2. Keep a close watch on your credit reports. This will help you identify if someone is using your identity to take a line of credit in your name. Most credit scoring agencies allow you to run a report for free at least once.
  3. Spammers may send emails that look like they are coming from Anthem. Make sure to carefully scrutinize these emails – don’t click on links that look suspicious – and if in doubt contact Anthem to ensure it’s an official communication.
  4. Moving forward, avoid using the same email address or identity across multiple online accounts. For example, have a primarily email address used for recovery of forgotten passwords and account information. Have a secondary email address for offline and online retail transactions. Have a third for financial accounts and sensitive information.

Follow me on twitter @tonyatavg