Hackers targeting health insurer Anthem gained access to personal information on tens of millions of current and former customers and employees across the country, including Gov. Dannel P. Malloy.
The company said cyber attackers had obtained personal information including names, birth dates, medical identification and Social Security numbers, street and email addresses and employment information, including income data. There was no evidence that credit card or medical information had been compromised, according to a statement from Anthem President and CEO Joseph R. Swedish.
Anthem, formerly known as Wellpoint, is the parent company of Anthem Blue Cross and Blue Shield, which covers about 1.14 million people in Connecticut, including many state employees and retirees. It was not clear Thursday how many Connecticut customers were affected by the data breach.
“This appears to be one of the largest in-depth data breaches in history,” Attorney General George Jepsen said Thursday afternoon during a press conference with Malloy, state Comptroller Kevin Lembo and other state officials.
Jepsen said his office launched an investigation Thursday morning after being notified of the breach Wednesday night. He said Anthem had been extremely responsive.
Anthem said it would notify current and former members whose information was accessed and provide free credit monitoring and identity protection services. Information about the breach is available at www.AnthemFacts.com. People with questions can call 1-877-263-7995.
Anthem said it is still determining which members were affected, and will send them notification letters “in the coming weeks.”
“While we do not have specific numbers at this time we are taking the broadest view possible and assuming that any of our members or employees could have been at risk,” an Anthem spokeswoman said Thursday. “That is why we have already begun the process of notifying current and former members about the attack.”
Consumer Protection Commissioner Jonathan Harris called the situation troubling. “Anthem, like all health insurance companies, has access to extremely sensitive health and personal information and therefore has the immense responsibility to protect that information from unlawful disclosure,” he said in a statement. “That there is any vulnerability in the corporation’s record management system is cause for real concern and must be corrected.”
Anthem’s Connecticut customers include state employees and retirees.
Lembo, whose office oversees the employee and retiree health plan that covers more than 180,000 people, said he met with Anthem officials about remedies for Connecticut customers. He said the company agreed to provide at least two years of credit monitoring, identity theft insurance and other protections immediately for state employees, retirees and their dependents. Jepsen said those protections are expected to be extended to other state residents affected by the breach.
Information about obtaining credit reports and other advice for consumers is available at www.ct.gov/anthemadvice. Harris advised Anthem customers to change their online passwords and to check their credit reports for suspicious activity.
Connecticut residents affected by the breach should report suspicious activity on their credit reports or other financial accounts to law enforcement immediately, Jepsen and Harris said. People can also report suspicious activity to the attorney general’s privacy task force at attorney.general@ct.gov or 860-808-5318.
Anthem said it contacted the FBI about the breach and worked to close the security vulnerability. The personal information taken included that of company employees, including CEO Swedish.
Connecticut residents with questions can also contact the Connecticut Insurance Department’s Consumer Affairs Unit at cid.ca@ct.gov or 800-203-3447 or 860-297-3900.