Not Just Numbers

Posted April 29, 2015

Often Overlooked in the Anthem and Premera Breaches That Compromised Tens of Millions Are Individual Victims. These Are Some of Their Stories.

Seen People’s Court? The opening has the announcer intoning “Real cases. Real people.” Forgotten among the tens of millions who’ve had their information compromised, but haven’t been affected…yet…are the cases of “real people” who’ve had their lives turned upside down by identity theft.

On truth-out.org, which co-published with USA Today, Charles Ornstein, writing for ProPublica, which describes itself as an independent nonprofit newsroom for investigative journalism in the public interest, puts the Anthem and Premera breaches in “human terms.” He does so by relating stories of individuals who’ve suffered identity theft as a result of these attacks. The following has been excerpted from his truth-out.org piece and edited to fit our format. You may find the full article by clicking on this link.

Knowing the score doesn’t ensure you won’t be a victim

[A] company’s privacy officer didn’t realize that health insurer Anthem even had her data. “It gives you a new perspective when you’re actually one of the folks whose data is disclosed.”

[Rebecca Fayed’s company provides research, technology and consulting services to health care and higher education organizations.] As the privacy officer for The Advisory Board Co., Rebecca Fayed knows a thing or two about privacy and what can happen when it’s violated. But when Fayed received a letter telling her that she, like nearly 80 million others, was the victim of a hacking attack on health insurer Anthem Inc., she couldn’t figure out why. Anthem wasn’t her insurance provider.

“I had no idea that Anthem even had my data,” Fayed told a gathering of privacy professionals recently at the National HIPAA Summit in Washington, D.C. “I went running around the house, ‘Why does Anthem have my data?'”

Fayed soon figured out the connection: Her previous insurer, a Blue Cross plan, was affiliated with Anthem in some way. Whoever hacked Anthem’s records accessed names, Social Security numbers, dates of births, addresses and more going back a decade.

But they weren’t covered by Anthem or Premera

Julie Grimley, 46, a content editor for an educational software startup, initially assumed the Anthem breach wouldn’t affect her because her family had coverage through CareFirst BlueCross BlueShield. Then she got letters informing her that her data, along with that of her husband and 15-year-old daughter, might have been compromised.

“At this point, I’m not sure what the best thing” to do is, said Grimley…”I really don’t.”

What about her college-age daughter?

Grimley said she is most worried about her daughter. “She’s already starting the college process,” she said. “Her life is starting. This could be really serious. I should be worried about me too but we’re established. … I’ve read horror stories and think, ‘Oh my gosh.'”

Lightning strikes twice

Bethesda, Md., resident Eric Forseter and his family managed to fall victim to both the Anthem and the Premera hackings.

Forseter’s wife and son received letters…from their health insurer Premera telling them that some of their information—but not their Social Security numbers–was compromised in the Anthem breach. Days later, they received additional letters saying they also were victims of Premera’s own breach, which affected not only Social Security numbers, but also medical claims information.

Forseter, 40, who works for an IT security and identity management company, said he doesn’t know how his family’s information got ensnared in the Anthem breach but suspects it may have happened because his son had to see a doctor while in New York. He’s gotten nowhere when he’s called the insurers’ customer- service line for answers.

“I don’t think they really know half the stuff that’s happening,” he said. “Unfortunately they’re reading a canned script and all they want to do is say, ‘Well, sorry.'”

Forseter said he is considering legal action against the insurers for failing to safeguard his family’s information. He called the offer of two years of credit monitoring inadequate.

“If data was stolen then sold and sold many times over, then potentially three to five to 10 years from now, that data could be used and I’d have to pay for my own coverage and I’m at risk,” he said. “I’m responsible for covering it.”

Lightning strikes “more than” twice

For some victims, the Anthem and Premera breaches have been all too familiar.

Bill Speaks, 61, who works in mainframe software for the U.S. Department of Interior in Colorado, said he was also a victim of the Home Depot hacking attack last year, as well as one involving his bank, and he believes he was also a victim of the Target hack. Moreover, he said, his driver’s license was stolen when he had surgery at a hospital about three years ago. That may have resulted in someone opening up an account and running up charges in his name, he said.

Speaks said he’s fed up.

“No one is looking out for us and no one at the higher levels of these organizations are suffering any consequences because of their lax security,” he said.

What have the insurers done?

Anthem spokesman Darrel Ng said the company finished mailing letters notifying those affected …. The process took two months because of the number of people affected and to not overwhelm its credit-monitoring vendor, AllClear. “Anthem initially started by sending out 1.5 million letters a day and eventually ramped up to about 2.5 million per day.”

Anthem said it has tried to reach people in other ways, including by email and through a website, AnthemFacts.com. Ng said he did not know how many people had signed up for the credit monitoring, but anyone can seek help in clearing up credit reports and contesting false charges for the next two years.

Premera also has set up a website with information and has notified 6 million members in Washington and Alaska affected by the breach and is working to notify members of other Blue Cross plans if they sought care in those states. As of April 1, more than 194,000 people had enrolled in credit monitoring, Premera spokeswoman Melanie Coon said by email.

Did Anthem and Premera do all they could?

The Department of Health and Human Services’ Office for Civil Rights, which oversees compliance with federal patient privacy law, is investigating the Anthem and Premera breaches. If the agency determines the insurers did not take adequate steps to protect members’ health information, it could impose steep fines.

A right to be nervous

Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance, an industry group, said consumers are right to be nervous. Medical identity theft poses a more serious risk than credit card fraud. “You really can’t change your birth date. So when that kind of information is out there, the type of fraud that is perpetrated in the health care sense involves your wellbeing, your life.”

Patterson recommends that consumers take several steps if they have been affected. First, they should sign up for the free credit monitoring, which alerts people to possible suspicious activity if it happens. “If you became a victim, you would be notified as soon as possible,” she said, noting that it doesn’t prevent fraud. Beyond that, consumers should review all insurance forms, hospital bills and other medical correspondence they receive. If something doesn’t look right, don’t throw it out, Patterson said; make a phone call to clarify what has been sent.

“Some reason people think, ‘I was not the patient, so why should I call that hospital?’ Definitely call the provider and the health plan to make [sure] both parties know that you are not the patient. You should report it to your local law enforcement so you have a record that it was reported from a legal standpoint.”

ThreatMetrix: a caution and solutions

Reed Taussig, ThreatMetrix® president and CEO advised, “The most valuable data stores for fraudsters are stolen patient records that are associated with a valid health insurance policy. While most enterprises continue to focus on securing their internal networks, what is really required is broad adoption and use of secure, anonymized global shared intelligence that will identify what for and where those 90 million stolen identities are being used.”

Alisdair Faulkner, ThreatMetrix chief products officer, notes, “When Anthem and Premera sneezed, the cybersecurity industry caught a cold. Most organizations are focusing purely within their own networks, but the board room needs to be aware that these massive data breaches are just a precursor to the main event – a systemic and continuous attack on their customer and employee authentication, fraud and identity systems. To do a credible job defending against stolen identities, organizations need better risk intelligence based on anonymized shared intelligence to differentiate between trusted users and cyber threats.”

ThreatMetrix

ThreatMetrix

close btn