Blue Cross and Blue Shield of Louisiana emphasized Thursday that it was not affected by a cyberattack and data breach that involved Anthem Inc., the nation’s second-largest health insurer.
Anthem is one of 37 independent licensees of the national Blue Cross and Blue Shield Association.
Blue Cross and Blue Shield of Louisiana is a separate and independent plan from Anthem and all other Blue plans in the country, the Louisiana insurer said.
Hackers broke into Anthem’s database storing information for about 80 million people, gaining access to names, birthdates, email addresses, employment details, Social Security numbers, incomes and street addresses.
Anthem Inc. provides health insurance in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin.
While Anthem does not provide health care coverage in Louisiana, Blue Cross said it is possible that a small number of its members may be affected if they received care and incurred a medical claim in one of the 14 states that Anthem does cover.
For example, if a Blue Cross Louisiana member was on vacation or traveling for work to one of the 14 states and sought medical treatment there, that member could have a claim and stored data in Anthem’s computer system.
Blue Cross Louisiana said it is working to identify any of its traveling customers who could be affected and will notify those customers.
Blue Cross and Blue Shield of Louisiana said it takes extensive steps to protect its customers’ personal and health information and is taking even more aggressive measures to prevent a data breach from occurring.
The attack on Anthem, which recently changed its name from WellPoint, could be a sign that hackers have shifted their focus away from retailers and toward other targets, cybersecurity experts say.
The nation’s second-largest insurer said it has yet to find any evidence that medical information such as insurance claims or test results was targeted or taken in a “very sophisticated” cyberattack it discovered last week. It also said credit card information wasn’t compromised.
And the hackers might not be done with the insurer, as they look for fresh targets after previous ones like retailers Target and Home Depot shore up their defenses.
“To me, this is the next wave of where we’re going to see more and more attacks,” said Mark Bower, a vice president with the cybersecurity firm Voltage Security. “Cybercrime is a business. The attackers will simply move to the next low-hanging fruit.”
He said security practices in health care are not as mature as they are in other industries, and hackers have multiple ways to get into a health care system that links insurers, care providers, labs and other businesses that handle sensitive patient information.
Medical records can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.
“That’s the kind of sophistication we have in cybercrime,” Bower said. “We have networks of criminals who can use this data whenever it’s available based on their skill set.”
Medical data also can be used to extort patients, with the hacker demanding money to prevent the public release of sensitive information, said Eran Barak, CEO of another cybersecurity firm, Hexadite.
He added that the attack may have been a probe to test the insurer’s defenses, with hackers planning to return for more information or installing malware that steals data.
The insurer said all of its product lines were affected. It sells mainly private individual and group health insurance, plans on the health care overhaul’s public insurance exchanges, and Medicare and Medicaid coverage. It also offers life insurance and dental and vision coverage.
Affected brands include Anthem Blue Cross, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield and Amerigroup.
The federal government also is investigating whether the personal information of Medicare and Medicaid beneficiaries was stolen. Those government programs are a major business for Anthem.
An Anthem spokeswoman said Thursday the insurer was working with federal investigators to figure out who was behind the attack. They had not pinned down the exact number of people affected.