Anthem warns state on data breach

Letters warning thousands of Arkansans to be on the lookout for identity or credit theft scams, the result of a data breach at insurer Anthem Inc., are now arriving in mailboxes.

Tony Felts, a spokesman for Anthem, said Thursday that personal information about 78.8 million current and former customers around the nation was potentially compromised in the theft, which was discovered Jan. 29 and made public Feb. 4.

Felts said hackers gained access to a database that included information about Anthem customers as well other customers of affiliated Blue Cross and Blue Shield companies, such as those who received health care services in the 14 states where Anthem offers coverage.

After discovering the breach, Anthem quickly developed a plan to begin notifying members, Felts said.

"We knew the mailings were going to take some time," he said. The early response included emailing customers who did business with Anthem in the past 10 years and creation of a website to provide additional information. The company is mailing about 2.4 million letters a day, alerting people about the breach and explaining the company's identity/credit protection response.

Max Greenwood, spokesman for Arkansas Blue Cross and Blue Shield, said Wednesday that the number of members in Arkansas affected by the security breach is holding steady at around 39,000.

Of those, about 17,000 are current members of Arkansas Blue Cross and Blue Shield while the remainder are current or former Anthem members who live in Arkansas, Greenwood said. As the state's largest insurer, Arkansas Blue Cross and Blue Shield provided full insurance coverage to nearly 448,000 members as of Dec. 31.

"It was a very small percentage of our membership, but it's still our members," Greenwood said, adding she was unaware of any incidents of identity or credit theft involving Arkansas members as a result of the data breach.

Indianapolis-based Anthem is an independent Blue Cross Blue Shield associated company and the second-largest insurer in the country. Anthem is not licensed in Arkansas.

Arkansas Insurance Commissioner Allen Kerr said in a news release that some affected Arkansas residents include those covered through group policies issued by Anthem through an out-of-state employer. Other potentially affected Arkansas residents include those who received covered care in a state served by Anthem or who have coverage through a company self-insurance plan administered by Arkansas Blue Cross and Blue Shield.

Alice Jones, a spokesman for the Arkansas Insurance Department, said Wednesday that the department's consumer division reported receiving a few calls after news of the breach, but none in recent weeks.

On Feb. 11, Arkansas Attorney General Leslie Rutledge joined with nine other state attorneys general in a letter calling for Anthem to move quickly to inform customers about the breach and to commit to reimbursing consumers for losses.

Judd Deere, a spokesman for Rutledge, said the department's consumer protection division has received a handful of calls regarding the Anthem data-breach letters.

"The uptick has been people calling to make sure the letters are legitimate and not a scam," Deere wrote in an email. "There have not been reports of ID theft or credit issues due to the Anthem breach in Arkansas."

On Tuesday, Bloomberg News reported that two U.S. senators called on Anthem to do a faster job of notifying customers whose personal information may have been compromised in the data breach.

In response to its breach, Anthem has arranged for up to two years of free identity-theft protection with AllClear ID for customers. Information about this service is available at anthemfacts.com. Felts said the investigation is ongoing and involves both the FBI and private data security contractors.

News about Anthem's breach came about a month before the latest attack on an insurer that was made public this week.

Premera Blue Cross, based in Mountlake Terrace, Wash., a suburb of Seattle, said Tuesday that it was the subject of a cyberattack that began on May 5, 2014, that was also discovered on Jan. 29. Company officials said the hack may have exposed the personal data, including medical records, of as many as 11 million customers.

Business on 03/20/2015