Federal, state officials launch inquiries into Anthem data breach

Federal, state officials launch inquiries into Anthem data breach
Federal and state officials are looking into the data breach at Anthem Inc., the nation's second-largest health insurer. (Michael Nelson/EPA)

Numerous government investigations are underway into the data breach involving 80 million Americans at insurance giant Anthem Inc.

Friday, officials from Anthem are meeting with staff members of a key congressional committee involved in cybersecurity.


California Insurance Commissioner Dave Jones and officials in Connecticut and other states where Anthem is a major insurer are also looking into what security measures the company had in place and what can be done to prevent future breaches.

House Energy and Commerce Committee Chairman Fred Upton (R-Michigan) said Anthem representatives will brief staff members of his panel Friday about the attack.

"Companies have been warned that it is not a matter of if they will be infiltrated, but when," Upton said in a statement. "That's why we're continuing hearings and opening new lines of investigation."

U.S. Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, said he was briefed on the incident by Anthem on Thursday.

He applauded the Indianapolis-based insurer for working closely with federal law enforcement to identify the attackers and prevent further losses of data.

"Because of Anthem's swift response and transparency, I am hopeful that other companies can protect their consumers from similar attacks," McCaul said in a statement. "The attack on Anthem should sound the alarm bells for Americans."

Anthem has apologized to its customers and vowed to do everything possible to safeguard their personal information.

The company said it has doubled its spending on cybersecurity in the last four years.

"This is a priority for us and we take the protection of members' data very seriously," said company spokeswoman Kristin Binns. "The threat is immense."

Friday, Anthem reminded customers to be on alert for "scam email campaigns" where criminals try to trick people into giving up more personal information.

The company said it will contact current and former members by mail with specific information on how to enroll in credit monitoring and identity protection services.

"Anthem is not calling members regarding the cyberattack and is not asking for credit card information or Social Security numbers over the phone," the company said.

Meantime, at the state level, there are multiple inquiries ramping up.

Connecticut Atty. Gen. George Jepsen sent a letter to Anthem on Thursday seeking information about what security measures the company had in place prior to the intrusion and requesting a response by March 4.

"Breaches in security like this one put innocent consumers at significant risk of financial and other harm," Jepsen wrote in his letter to Anthem.

A recent wave of cyberattacks, including the hacking at Sony Pictures Entertainment, spurred President Obama during his State of the Union address to urge Congress to pass legislation aimed at thwarting those attacks and identity theft.

Anthem said the hackers had access to customers' names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses and employment information.

Some of the customer data may also include details on their income.

Anthem said the attackers didn't appear to take patients' medical information or credit card numbers even though they were stored in the same database that was breached.

FBI officials have commended Anthem for detecting the break-in last week, only weeks after it apparently began, and for alerting authorities right away.

In other corporate hacking cases, the intrusion has gone on for months and companies didn't find out until outside experts notified them.

The government inquiries may focus on what steps Anthem took following a 2013 case when federal officials pointed out computer vulnerabilities at the company in a breach involving information on more 600,000 customers.

And last year the FBI warned healthcare companies industrywide that their computer security practices needed to be strengthened as the risk of cyberattack was increasing.

Twitter: @chadterhune