DOI Launches Investigation Into Anthem’s Response to Breach

The California Department of Insurance has launched an investigation into a data breach affecting about 80 million customers, former customers and employees of health insurer Anthem in California and other states, Bay City News reports (Bay City News, 2/5).

Anthem Blue Cross, the insurer's California branch, and other affiliated health plans in the state have about eight million enrollees that could have been affected by the breach.

Background on Breach

Earlier this week, Anthem President and CEO Joseph Swedish said that hackers "gained access to [the insurer's] computer system and took information including names, birthdays, medical IDs/Social Security numbers, street addresses, email addresses and employment information, including income data" (Rauber, "Bay Area BizTalk," San Francisco Business Times, 2/5).

The company has not yet identified the source of the cyberattack, but it could be the largest ever reported by a health care company and one of the largest breaches of customers' personal information (California Healthline, 2/5).

In response to the breach, Anthem said it has:

• Begun working with a cybersecurity team to evaluate the breach;
• Notified the FBI about the breach; and
• Sent notices to consumers.

The insurer also is offering no-cost credit monitoring and identity protection services to affected individuals.

Details of Investigation

On Thursday, California Insurance Commissioner Dave Jones (D) launched an investigation into Anthem's response to the breach. Jones directed DOI staff to coordinate efforts with other California regulatory agencies and other state insurance regulators across the U.S.

In a release, Jones said, "The Anthem breach underscores the need for insurance companies to take every precaution to protect their customers' information and make their consumers whole when a data breach occurs," adding, "We are working with other regulators and conducting a review to confirm that the company takes the appropriate steps to protect and assist consumers and guard against future breaches" (DOI release, 2/5).

Meanwhile, California Attorney General Kamala Harris (D) said consumers should take steps in response to the breach by:

• Being wary of phone calls from individuals claiming to work for Anthem;
• Considering placing a security freeze on credit files;
• Contacting credit bureaus, which can put fraud alerts on their Social Security numbers and prevent the opening of new credit accounts; and
• Reviewing credit reports for discrepancies (Bay City News, 2/5).

Breach Exposes Cal INDEX Privacy Concerns

In related news, Consumer Watchdog and Patient Privacy Rights say that the Anthem breach highlights the need for stronger privacy protections in the California Integrated Data Exchange, or Cal INDEX (Consumer Watchdog release, 2/5).

The statewide health information exchange was created by Blue Shield of California and Anthem Blue Cross in August 2014 (California Healthline, 11/20/14).

The groups are calling for Cal INDEX to require consumers to opt in to participation, rather than automatically adding consumers to the exchange and giving them the option to opt out.

In a letter to the CEO of Cal INDEX, Consumer Watchdog Executive Director Carmen Balber and PPR Founder and Chair Deborah Peel wrote, "The Anthem hack makes clear that no company can guarantee their customers' information will be protected. Without that guarantee, consumers must have the ability to prevent their information from being shared before it occurs" (Consumer Watchdog release, 2/5).