How hackers might use your stolen Anthem data
For fraudsters, the type of customer data stored by healthcare organizations offers a treasure trove of possibilities.
That's why Anthem's data breach could pose a serious headache for the company's 80 million customers. While it's unclear how many accounts were impacted by the hack, Anthem chief executive Joseph R. Swedish said in a letter to customers that it was "the target of a very sophisticated external cyber attack."
While consumers have to some extent become familiar with credit-card breaches, thanks to attacks on retailers such as Target and Staples, the potential theft of data from health providers creates a higher risk of fraudulent uses. That's because health insurers store much more sensitive data about consumers than retailers or credit-card companies, including Social Security numbers, medical history, personal income, and the patient's employer. With all that data at their disposal, there are more ways the fraudsters can create trouble.
"When a thief gets that information, we call that the perfect identity," said John Dancu, the chief executive of technology security company IDology. "Financial institutions have been hit for several years so they have gone in and tried to harden their systems, and the next place for the fraudsters to hit is the medical system."
Anthem said that the attack allowed the attackers to gain access to current and former customers' names, birthdays, medical IDs and Social Security numbers, street addresses, email addresses and employment information. Income data was also accessed.
There's no evidence that credit card or medical information was compromised, the insurer said. The impacted plans include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
In addition to selling Anthem customer data to other fraudsters on the black market, the thieves could use the data to set up fraudulent financial accounts in victims' names, such as credit card accounts, Dancu noted.
With access to Social Security numbers, employment information and income data, fraudsters could also file false tax returns, with the goal of claiming a fraudulent refund. That's a growing problem in the U.S., with the Internal Revenue Service investigating almost 1,500 cases in 2013, a jump or 66 percent from the previous year.
Anthem customers may also be at risk for phishing, given that email addresses were accessed. Phishing is when fraudsters set up fake email accounts or websites that look similar to well-known businesses, with the goal of getting consumers to enter confidential data, such as passwords. Consumers should be wary of emails that direct them to click on a website and provide data.
While the thieves apparently didn't steal medical data, fraudsters in general may target healthcare organizations for this information because it could allow them to access prescriptions for painkillers and other drugs, Dancu noted.
"You need to be diligent with your financial resources and accounts," he added. That means checking statements and bills to make sure they are accurate, and that no micro-charges or unauthorized charges appear on them.
Anthem has said that all impacted customers will receive monitoring or identity protection services, but that apparently won't be available for a few weeks. The company said it would mail letters about what services are available "in the coming weeks."