Anthem, the second-largest health insurer in the United States, which has reported a massive data breach earlier this month, has finally come out with a more definite number of affected individuals: 78.8 million.
But if you think that if you weren’t an Anthem customer your data is safe, you might want to check again, as between 8.8 million to 18.8 million of the persons whose data was stolen were actually not Anthem customers.
The breach also impacted Blue Cross and Blue Shield plans not owned by Anthem. So why was those people’s information in Anthem’s databases, you wonder?
“The Blue Cross and Blue Shield Association’s BlueCard is a national program that enables members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield Plan’s service area. The program links participating healthcare providers with the independent Blue Cross and Blue Shield Plans across the country and in more than 200 countries and territories worldwide through a single electronic network for claims processing and reimbursement,” the company explained in the updated breach FAQ document.
The full list (provided in the FAQ) of independent Blue Cross and Blue Shield plans affected is considerable, and covers plans in many US states.
The breach also impacted Blue Cross and Blue Shield Federal Employee Program plans members.
All of those people will be receiving breach notifications via mail, but it’s still unknown whether they will be offered the 24 months of free identity theft repair and credit monitoring services offered to Anthem customers.
The company still maintains that no diagnosis or treatment data, and no credit card numbers or banking info were exposed. Names, dates of birth, SSNs, health care ID numbers, home and email addresses, and work information like income data have been accessed/stolen.
If you’re interested, Joseph Conn over at Modern Healthcare has a good write-up about the potential legal liabilities arising from the Anthem breach.
In the meantime, the Hill reports that the FBI is close to naming the cyberattacker behind the Anthem data breach, and that the agency will start naming nation states and specific hackers they find responsible for high-profile cases such as this one in the future.