On February 9th, 2015, Girard Gibbs LLP filed a federal class action lawsuit against Anthem, Inc. on behalf of all current and former Anthem members and employees whose personal information was compromised as a result of the data breach announced in February 2015. The lawsuit alleges that Anthem failed to maintain reasonable and adequate security measures designed to prevent the attack or detect unauthorized network activity. It also alleges that Anthem failed to encrypt its members’ data.
Data breach affects all Anthem product lines
Anthem, Inc., the nation’s second-largest insurer, disclosed on February 4, 2015 that its information security systems had been subject to a cyber-attack. Bloomberg has reported that the details of up to 80 million Anthem customers were exposed to theft by hackers. According to Anthem’s press release, thieves obtained personal information from Anthem’s data systems including names, birthdays, Social Security numbers, street addresses, email addresses, employment information, and income data. This press release also states that the breach impacts all Anthem product lines, including Anthem Blue Cross, Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
Anthem: Medical information was not compromised
Anthem claims that there is no evidence that banking, credit card, or medical information have been compromised. However, Fred Cate, a cybersecurity expert, has cautioned that company officials might not know the scope of the attack at this point because it is quite early in the investigation. The New York Times has reported that according to Katherine Keefe, the global focus leader for breach response services at Beazley, stolen medical information can be sold on the street for ten times the value of a credit card number.
Hackers may have had access to Anthem’s database for over a month
Reports indicate that Anthem’s database was open to hackers for over a month. Anthem first detected the data breach on January 27, 2015, according to an internal memorandum sent by Anthem to its employees, which is available on CSO Online’s Top Security News blog. An Anthem database administrator discovered a data query running using the administrator’s own logon information. Because he had not initiated the query, he stopped it, and informed the Information Security department. Anthem then discovered that the logon information for additional database administrators had been compromised. On January 29, Anthem officially determined that they were the victim of a cyber-attack and alerted government officials. This memorandum also states that the unauthorized activity began on December 10, 2014.
Experts say Anthem did not take basic security steps
According to The New York Times, experts have said that Anthem did not take basic security steps such as protecting the data in its computers through encryption. Thomas Miller, Anthem’s chief information officer, stated that at the time of the breach, Anthem was considering encrypting its internal database. According to John Kindervag, an analyst with Forrest Research, Anthem mistakenly assumed that the information within its own database was secure, and did not apply the same protective standards it uses when it sends data to a doctor’s office.
Anthem’s history of data breach problems
Anthem has had a history of data breach issues. In 2010, before it had changed its name to Anthem, Wellpoint suffered a data breach impacting over 600,000 customers, after a failed security update to one of their systems. In 2013, Wellpoint agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle claims that this data breach violated the Health Insurance Portability and Accountability Act of 1996 (HIPPA).
Healthcare breaches are on the rise
According to statistics quoted by The New York Times from the Office for Civil Rights at the Department of Health and Human Services, there have been over 740 major healthcare breaches affecting 29 million people in the past five years. The Identity Theft Resource Center’s 2014 report also states that 42.5 percent of reported data breaches occurred in the medical and healthcare sector, the largest number of data breaches among all categories. The report also states that healthcare breaches have been on the rise the past ten years.
Yet, The New York Times has reported that healthcare companies like Anthem are behind other industries in protecting sensitive personal information. Avivah Litan, a cybersecurity expert for Gartner stated that health organizations “are generally less secure than financial service companies who have the same type of customer data.”
On February 6, 2015, Anthem warned its customers that they might be subject to scam email and phone campaigns targeting current and former members. These scams are designed to appear as if they were from Anthem, but are intended to trick consumers into sharing personal data (these are called phishing scams).
Are you an Anthem customer?
If you believe that your personal information was compromised in the Anthem data breach, please contact one of our consumer attorneys by filling out the form on the right or by calling (866) 981-4800.
Other Girard Gibbs data breach lawsuits
Our attorneys are currently litigating class action lawsuits concerning the recent data breaches that have taken place at retailers Target and Home Depot, as well as the October 2013 Adobe Systems data breach. We represent employees of Sony Pictures whose personal information was compromised as result of a data breach announced at the end of 2014. We are also currently investigating the Kmart payment systems data breach, and the Premera Blue Cross cyberattack announced in March 2015. In the past, Girard Gibbs has successfully settled cases involving cyber-attacks on Health Net and Certegy customer databses.