U.S., states probe massive data breach at health insurer Anthem

California Insurance Commissioner Dave Jones said regulators “will cast a very wide net,” examining whether Anthem heeded earlier warnings about security weaknesses.
California Insurance Commissioner Dave Jones said regulators “will cast a very wide net,” examining whether Anthem heeded earlier warnings about security weaknesses.
(Rich Pedroncelli / Associated Press)

Alarmed by the vast breach of consumer privacy, federal and state officials have launched investigations into the cyberattack at insurance giant Anthem Inc. that involved up to 80 million Americans.

State insurance commissioners announced plans Friday for a nationwide investigation given the scope of the information exposed and huge number of consumers affected. California, Indiana and other states with large numbers of Anthem members will lead the inquiry.

MORE: Anthem cyberattack reminiscent of other Chinese hacks, expert says


California Insurance Commissioner Dave Jones said regulators “will cast a very wide net,” examining whether Anthem heeded earlier warnings about security weaknesses and whether the firm should have taken stronger measures — such as encrypting data — ahead of time.

“We will be looking at anything that might have a bearing on the data breach and what could have been done to prevent it,” Jones said in an interview. “The Anthem breach underscores how critically important it is for insurance companies and any company that holds consumers’ data to adopt the strongest possible protections.”

In Washington, federal health officials overseeing medical-privacy laws said they too are looking into the Anthem matter. Executives at the nation’s second-largest health insurer met Friday with staff members of a key congressional committee involved in cybersecurity.

The Indianapolis-based insurer said it takes consumer privacy seriously and will cooperate fully with the various investigations.

“Since discovering this attack, we have taken quick action to enhance our systems and security processes,” said Anthem spokesman Darrel Ng. “Our focus continues to be working with FBI and cybersecurity experts so that we can determine the extent of this security breach and notify our customers.”

In a bid to prevent further harm to consumers, Anthem issued an alert about “scam email campaigns” that try to steal more of people’s personal information.


The insurer said it will contact current and former customers by mail with details on how to enroll in credit monitoring and identity protection services.

House Energy and Commerce Committee Chairman Fred Upton (R-Mich.) said Anthem representatives met with his panel Friday about the attack.

“Companies have been warned that it’s not a matter of if they will be infiltrated but when,” Upton said. “That’s why we’re continuing hearings and opening new lines of investigation.”

The insurer disclosed Wednesday that hackers infiltrated a key database and took current and former customers’ names, dates of birth, Social Security numbers, phone numbers, email addresses and other personal information. Some of the customer data may also include details on their income.

Anthem said the attackers didn’t appear to take patients’ medical information or credit card numbers even though they were stored in the same database.

The Anthem incident has sparked debate over whether federal law should be changed so healthcare companies would be required to encrypt the sensitive data they hold.


Anthem said the personal information that was stolen was not encrypted, and it normally only adds that protection when information is shared with medical providers or other authorized parties.

But the company said encryption wouldn’t have thwarted the attack because the thieves had obtained a system administrator’s log-in.

The U.S. Department of Health and Human Services said it hasn’t been formally notified about the breach by Anthem, but it is looking into the matter.

The agency enforces the Health Insurance Portability and Accountability Act, or HIPAA, the key federal law governing patient confidentiality.

Federal officials said the names, Social Security numbers and other “personally identifiable information” of health plan members is protected under HIPAA regardless of whether treatment or medical diagnoses are disclosed.

In 2013, federal regulators pointed out computer vulnerabilities at Anthem in a breach involving information on more 600,000 customers. Anthem paid $1.7 million to resolve the matter.


Last year, the FBI warned healthcare companies industrywide that their data security practices needed to be strengthened amid the growing threat of cyberattack.

U.S. Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security committee, said he was briefed on the incident by Anthem, and he applauded the insurer for working closely with federal law enforcement officials on their investigation into the attack.

FBI officials also commended Anthem for detecting the break-in last week, only weeks after it apparently began, and for alerting authorities right away.

“Because of Anthem’s swift response and transparency, I am hopeful that other companies can protect their consumers from similar attacks,” McCaul said.

Anthem said Californians potentially affected by the breach will be offered one year of free credit monitoring and insurance against identity theft losses because “it’s consistent with California law.”

Jones, the state insurance commissioner, said he may push Anthem to offer a longer period of protection, perhaps two years or more, given the severity of the data breach.


Twitter: @chadterhune