HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Up to 18.8M Non-Customers Also Affected By Anthem Data Breach

Anthem has issued a statement confirming it is not only its own customers that have been affected by the mega data breach it suffered, but also between 8.8 million and 18.8 million individuals who are members of Blue Cross Blue Shield health plans of other insurers.

According to Reuters, this is the first time that Anthem Inc., has announced that the customers of different insurance companies may also have been compromised in the cyber attack. Anthem is a member of an insurance network that runs Blue Cross Blue Shield plans, and customer signing up for these health plans are able to obtain medical services via any of the hospitals or medical centers signed up to the plan.

BCBS covers 105 million Americans and is operated by 37 different healthcare providers. Anthem runs healthcare plans in 14 states under Blue Cross Blue Shield and is the country’s second largest healthcare insurer.

Because of this association, Anthem held data of patients belonging to BCBS health plans provided by other insurers, and that data, it would appear, could have been obtained by hackers. The original estimate of the scale of the data breach was put at 80 million records, although that number was recently revised and changed to 78.8 million records.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

That figure includes 14 million incomplete records. It has not been reported what data was present in those records but Anthem has said that they are causing a problem because it is not clear to which health plan they belong. Hence the considerable difference between the two figures provided on the number of BSBS members who have had their data exposed.

This announcement will come as very bad news for BCBS members. The Anthem data breach exposed names, dates of birth, Social Security numbers, member IDs, home addresses, telephone numbers, email addresses and employment details, and some income data. No healthcare data was reportedly obtained, although the information that was stolen is more than sufficient for the perpetrators to be able to commit a number of crimes that have a direct financial impact on the victims.

In accordance with the HIPAA Breach Notification Rule, Anthem will be sending notification letters to all of its own patients as well as other BCBS members who were affected by the breach. Due to the incomplete records and the sheer scale of the task ahead, it may take a number of weeks before all the letters are dispatched.

In an effort to mitigate any damage caused by the breach, Anthem is offering all affected members – and those of BCBS – credit monitoring services without charge for a period of two years and it has also pledged to assist with identity theft repair for any victims of fraud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.