Anthem hack puts at least 8.8 million NON-customers at risk

It’s bad enough when a company you are doing business with gets hacked, and your personal information is exposed.

But it’s even more annoying when a company that you have no relationship with suffers a serious data breach by hackers, and your details *still* get exposed.

That’s the ghastly scenario being faced by at least 8.8 million people, who until yesterday probably imagined (quite understandably) that they were not going to be affected by the hack of Anthem Inc which made headlines around the world earlier this month.

As reported at the time by We Live Security, determined hackers appear to have gained access to the names, birthdays, social security numbers, street addresses, email addresses and employment data of almost 80 million customers and employees of the second-largest health insurer in the United States.

Back then, Anthem was criticised by ten US states for being too slow in notifying customers that their data had been exposed.

But what wasn’t known until now is that an additional 8.8 to 18.8 million people who were not Anthem’s customers could also be victims.

Anthem Blue CrossThe reason is that the breached Anthem database didn’t just include the details of customers of Anthem-run Blue Cross Blue Shield healthcare plans, but also for customers of Blue Cross Blue Shield plans run by independent firms across the country where Anthem doesn’t have a presence.

Anthem runs Blue Cross Blue Shield healthcare plans in 14 US states (California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, Ohio, Wisconsin, and parts of New York and Virginia). But a further 37 partner companies cover an additional 105 million people under the Blue Cross Blue Shield license outside those territories, in states such as Texas, Florida, and Minnesota amongst others.

All in all, it’s pretty upsetting news for those affected – especially if they imagined they would have been immune from the Anthem breach because they weren’t an Anthem customer.

The one piece of good news is that Anthem still does not believe that any financial or confidential health information was accessed.

Anthem, which used to be known as WellPoint, says it will provide free credit monitoring and identity protection services to customers whose data was compromised.

More details can be found on, a website set up to deal with the aftermath of the hack. Alternatively you can call 877-263-7995, a toll-free number established by Anthem.

If you are concerned by the Anthem hack, be sure to check out our five defensive tips.

Author Graham Cluley, We Live Security

  • Earl Dunbar

    Well that’s really special, but not surprising. “Everything is connected” is ancient wisdom that remains relevant. Thank you for the update. As a subscriber of an independent BCBS organization, I just submitted my request to be in included in the credit and identity monitoring service.

  • Coyote

    “The one piece of good news is that Anthem still does not believe that
    any financial or confidential health information was accessed.”

    This type of claim always *seriously* bothers me for the reason of:

    The organisation says something like this, right? Okay but then how come they didn’t detect the breach in the first place? Why didn’t an IDS (for example) help? Why (in many cases) did it go unnoticed? Do they not have any root kit hunter (which for example might also have file verifications.. not the only software that might, either)? Are there backdoors (an ancient technique, after all, in order to ensure access at another date). Are they sure they found everything? I criticised Sony in (2012?) when they were compromised by LulzSec and in particular that they at that point hired a security team (because after the fact is really useful, yes?) and then worse still LulzSec breached another part of Sony’s network later. Or did they? Maybe they did or maybe they didn’t – only LulzSec would know – but it is also possible that they left a backdoor (which is exactly why they typically suggest to do what, after a breach? Right, start fresh and improve your policies [improve policies before the reinstall!]). Of course, the recent Sony attack and the security team brought on (again, after the fact; they fail to learn repeatedly…) claiming there was nothing they could have done (dangerous lies) is even worse, because then why even bother?

    So I never have nor will I ever buy in to the claim that nothing appears (whatever it might be) – or even omitting ‘appears’ (what do they say about the eyes and your mind again?) – to have been accessed. It is never that simple and they should know better at that point.

    • Dave M

      The bottom line on why breaches happen is due to bean counters. I can here the financial officer a year or two ago state “well we have not had a breach in years, the possibility of a major breach happening is low and if we do have one our numbers indicate that we would spend $XXX.XX dollars. So with that in mind the budgets for network overhaul for 2013 or 2014 are rejected”.

      • Coyote

        Well, yes, that is part of it. But it certainly isn’t all of it. Sony has yet to learn a thing from the attacks on their network over the years. And the CEO himself reiterated the ‘security advisor’ and his statements; that it was unprecedented and there was nothing that could be done. Nonsense. The same can be claimed in all things under one condition and one condition only: they aren’t willing to accept their own mistakes and at the same time (and this is also a mistake) are unwilling to learn from the past. They’re doomed to repeat history and that includes them complaining about it.

        So yes, budget of course is an issue but so is policy, so is the education (awareness or lack thereof is a huge problem!) of the employees, so is a lot of things. To claim it is only the budget (that security teams can’t change) is playing the blame game (much like Sony has done many times). There’s always something you can learn from, if you can only admit that you can never know everything (even if you could the fact new things – discovered by others since obviously ‘you’ can’t – are found/whatever over time, means you don’t know everything). Of course, maybe you refer to Anthem’s security team (above), but in the case of Sony I would hope they don’t claim something like that because it would be even worse (I realise that what you’re suggesting is hypothetical and not that a 100% thing – even if similar things were said – but I think you know what I mean). I wouldn’t be surprised if Sony did make similar claims, though, seeing as how they rather state there was nothing they could have done.

Follow us

Copyright © 2017 ESET, All Rights Reserved.