To the 80 million customers of Anthem whose personal information was stolen by hackers, security experts offer this advice: Keep a close eye on your medical-claims statements.
Identity thieves use plundered health-plan data to run up large bills in the victims’ names. Anthem disclosed yesterday, Feb. 4, that names, birth dates, Social Security numbers, medical IDs, street and e-mail addresses, and employee information, including income levels, were stolen in one of the biggest data breaches of a U.S. company.
Identity theft may not have been the main goal of the breach. Federal and private-sector investigators are pursuing evidence that points to Chinese state-sponsored hackers who are stealing personal data from health-care companies to seek information on the personal lives of defense contractors, government workers, and others, according to three people familiar with the probe. Still, the information of tens of millions of others has been compromised and can’t be considered safe.
Anthem, the second-largest insurer in the U.S. by market value, is only the latest to fall victim to hackers. Attacks on the industry have increased sevenfold in the past year, according to Websense, a cybersecurity firm.
Anthem is mailing information to the affected members on how to access free credit-monitoring and identity-protection services. It has also set up a website and toll-free number to answer questions.
Plan members can't do anything right now to be 100 percent sure their identity won't be swiped.
But if you're an Anthem member, here’s what you can do.
Watch for bogus billing
Consumers’ best defense will be the insurer's vigilance over claims reports for signs of medical-identity theft, according to the security specialists. One of the biggest threats is the possibility of medical-identity theft, in which an impostor steals members’ insurance IDs or Social Security numbers and uses them to rack up thousands of dollars in health-care bills, said Geoff Hancock, chief executive officer of Advanced CyberSecurity Group in Washington.
All it takes to submit a fraudulent claim in many cases is a name, plan member ID number, and date of birth, Hancock said. The bill then gets sent to the person who has had her identity stolen or to her insurer to pick up the tab.
Anthem members should also monitor bank statements, search online for their names and e-mail addresses, and look out for suspicious e-mails, since hackers often sell stolen addresses to malicious spammers sending viruses or fraudulent offers, said Carl Leonard, principal security analyst for Websense.
“This is going to be the year of the health-care data breach,” said Bob Gregg, CEO of ID Experts, which provides a monitoring service that alerts people when medical claims are made in their name. “Health care is going to be the target going forward.”
Medical or health-insurance information can sell for 10 times what a credit card number fetches on the black market, making it a lucrative area for cybercriminals.
Start reading the mail you trash
With a stolen credit card number, new cards and their numbers can be quickly issued, and the bank takes care of the fraudulent charges. Medical identify theft can cost thousands of dollars, take years to resolve, and leave a lasting mark on a person’s medical record.
More than 1.8 million people had their medical identity stolen in 2013, a 19 percent increase from the previous year, totaling $12 billion in medical costs, according to a study by the Ponemon Institute, a data security research firm in Traverse City, Mich. While the majority of victims have their identity stolen by someone they know, 7 percent of cases were from a data breach, the group found.
About a third of those who had their identity stolen said they incurred out-of-pocket costs averaging more than $18,000 in legal expenses, credit-reporting fees, medical services because of a lapse in health insurance, and payments to health-care providers for services provided to the impostor in their name.
The best way to detect that type of activity is to read closely the “explanation of benefits”—something few people do, said Katherine Keefe, global focus-group leader for breach response services at insurer Beazley. Her company provides cyber insurance to help companies prevent and deal with the aftermath of a cyber attack, and she worked for a major health insurer for more than a decade.
“Scrutinize information that comes back from your health-care providers to make sure, just the way you’d examine your credit card statement, that it is accurate,” said Keefe. “That is one way you can take control of the situation.”
Gregg said it’s crucial to catch fraud early on, since the more claims there are, the harder it can be to resolve. He has seen it take years for patients to get their medical records cleared up.
“The key is to catch it the first time it happens,” Gregg said. “If we can catch the first instance of it, then we can put a stop to it right there.”
-With assistance from Dune Lawrence and Robert Langreth in New York