On January 29, 2015, Anthem, Inc. discovered that it had been the victim of a sophisticated cyberattack that had taken place over several weeks in early December 2014. The company estimates that hackers accessed the personal information of 78.8 million people, of which 1.7 million were Connecticut residents. The hackers were able to obtain names, Social Security numbers, birth dates, street addresses, email addresses, medical IDs, and employment information such as income data. Anthem states that no credit card information, banking information, or confidential health information was stolen. Connecticut Attorney General George Jepsen and RLG principal Bruce Raymond discussed the Anthem Breach on CBS Radio Show Law Talk on March 21, 2015. Click here for podcast.
The hacking technique used in the Anthem breach is similar to that used against another health care insurance provider, Premara Blue Cross. The technique, called “typosquatting”, involves creating a bogus domain name that appears similar to the legitimate company website. For example, in the Anthem breach, the hackers created the domain name “we11point.com” to mimic Anthem’s former name, “WellPoint”. Customers are lured to the fake site and prompted to enter their login and password information, which the hackers then use to access the company’s legitimate system.
Health care industry breaches constituted more than 42% of all security data breaches in 2014, and the Anthem incident is the largest in the industry since Chinese hackers stole the personal information of 4.5 million patients of Community Health Systems, Inc. To combat these cyberattacks, the Connecticut legislature has introduced Bill No. 1024, “An Act Concerning the Security of Consumer Data”. The bill aims to protect customers’ health data by requiring companies with access to health insurance information to encrypt the personal data of insureds and enrollees. The bill is modeled after a New Jersey data encryption law that was passed by the New Jersey legislature in January 2015.
Several class-action suits have already been filed against Anthem, most alleging breach of contract and negligence, and requesting restitution and damages. Locally, an East Hampton woman is also suing for restitution and an unspecified amount of damages, alleging negligence, breach of implied contract, and violation of the Connecticut Unfair Trade Practices Act.
Connecticut data breach victims should register with Anthem’s website to obtain credit monitoring and other assistance. Those who encounter problems with the remedies offered by Anthem are encouraged to contact the Office of Attorney General George Jepsen.