The information gathered by healthcare organizations is a veritable treasure trove of information for criminals, which has led to a growing trend of breaches of such businesses. Yesterday the Anthem breach, the biggest healthcare-related breach to date was announced, as attackers accessed a database containing the records of current and former employees. As we discussed earlier this morning on We Live Security, this could affect as many as 80 million people.
The impacted plan and brands include:
- Anthem Blue Cross
- Anthem Blue Cross and Blue Shield
- Blue Cross and Blue Shield of Georgia
- Empire Blue Cross and Blue Shield
While medical data and credit card data were not apparently accessed, this attack has given criminals access to customers and employees names, birthdays, social security numbers (SSNs), street addresses, email addresses and employment data. This is in some ways more serious than simply getting credit card information, as it can potentially be used in a wider variety of frauds and scams, including identity theft. Affected people will need to be more vigilant about monitoring and protecting their credit from here on out, as changing one’s SSN is difficult and often does not solve the problem.
Thankfully, it appears that Anthem swiftly identified this threat, which means affected customers and employees can begin procedures to limit the damage. Anthem will be notifying affected users, but it is best to act now if you suspect you are at risk of being one of those 80 million people.
- Notify credit reporting agencies
The FTC website has a great series of articles about what to do to repair identity theft, including a worksheet to help you keep track of the steps you should take. The first step you should take is to call one of the credit reporting agencies and place a fraud alert on your account. This will mean that your account will receive additional scrutiny for possible fraud for 90 days, at which point you may renew the alert if you choose. You should then confirm with the credit reporting agency that they will report the fraud alert to the other two agencies.
- Check your credit report
Once youve reported the theft, you are entitled to a free credit report. Check this report for erroneous activity. If you find any, you can dispute those errors with the credit reporting agency and the fraud department for the business in question.
- Report fraud to the FTC
If and when you receive notification that your information was compromised in the breach, you may wish to report the fraud to the FTC. This affidavit, plus a police report, comprises something called an Identity Theft Report. Having an Identity Theft Report can limit your responsibility for fraudulent accounts created in your name, waive fees for placing a credit freeze, and allow you to create an extended fraud alert that stays in affect for 7 years.
- Beware of scams
With the information stolen in this breach, criminals will have a mountain of personal details that could make scams and phishing more targeted and thus believable. Anthem has warned that phishing campaigns have already begun to target people suspected to have been victims of this breach. This is a good time to practice extra skepticism: Be sure not to click on links in emails purporting to come from businesses, especially if they appear suspicious in any way. Instead, you should type the businesses URLs into your browser directly, to contact companies. Likewise, you may receive unexpected phone calls from scammers: Remember that you are under no obligation to provide or confirm information to businesses calling you. Feel free to ask the caller for information to check the validity of their claims, such as through an online search or contacting the business on your own. Anthem has stated that they will contact people via US Postal Service only, and added that users should not reply to these scam emails, click on any links or attachments in these emails, or supply any information to the scammers.
- Continue to check your accounts
Criminals are unlikely to use this information all at once; they may save it for future use, as so many people’s information is involved in this breach. It is best to remain vigilant by checking your credit reports, payment card statements and medical statements regularly. If you see any errors listed, you can correct them promptly to minimize any further damage.
Bonus Tip: Add Two-Factor Authentication to existing accounts With the variety of information criminals have stolen in this breach, they may try to use it to hack into victims online accounts. You can minimize this possibility by adding a second factor of authentication to accounts where this feature is available.
Author Lysa Myers, ESET