More than 277,000 Louisiana residents’ data was breached in a recent cyberattack against insurer Anthem Inc. — an attack that potentially affects people who may not be Anthem customers but sought medical care in 14 states served by Anthem.
That number includes about 26,000 current or former members of Blue Cross and Blue Shield of Louisiana/HMO Louisiana Inc., spokesman John Maginnis said Wednesday. Those Blue Cross customers’ data was in Anthem’s computer system, which contained 10 years’ worth of records that hackers may have accessed.
Members of other Louisiana health plans also were affected by the Anthem data breach. Anthem spokeswoman Jill Becher said the Louisiana total included customers served by Anthem Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore and Unicare.
Blue Cross Louisiana is the state’s largest insurer with 1.6 million members.
Maginnis said there is no evidence so far that the hackers were able to get any Blue Cross members’ Social Security numbers.
“For our members affected, the kinds of personal information that could be at risk are names, birthdays and email addresses,” he said.
Henry “Paco” Capello, information systems program manager at LSU’s Stephenson Disaster Management Institute, said for hacking victims, the issue is the true risk of someone having that information.
“My biggest concern at this point, as a cybersecurity analyst, is … some very well-crafted phishing attempts, saying they’re from Anthem, saying they’re from Blue Cross and saying we have this information, we need to update this, please enter your Social Security number,” Capello said.
That final piece of information enables hackers to open up new credit card accounts.
Cybercriminals could also use the breached data to hack policyholders’ email accounts, gain access to their LinkedIn connections and send fake emails from those connections, Capello said. Clicking on the email brings the person to a malicious site that puts malware on the user’s computer or collects information that can be used in another hack.
Maginnis said people should watch out for phone or email scams.
“If you see anything suspicious in your banking or credit card statements, report it to your bank or credit card company right away,” he said. “No one from Anthem or Blue Cross and Blue Shield of Louisiana will contact you directly to ask for your personal or financial information, so be suspicious if you receive this kind of request.”
Anthem is offering two years of free credit monitoring and identity theft protection services to those affected by the data breach.
While Anthem does not provide health care coverage in Louisiana, it is part a network that allows Blue Cross policyholders to get care when they’re outside their own health insurance plans’ coverage area.
Anthem, the nation’s second-largest insurer, runs Blue Cross plans in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin.
Earlier this month, Blue Cross Louisiana said some of its 1.6 million members may have been affected by the Anthem breach — if they received medical care and incurred a medical claim in one of the 14 Anthem states. For example, if a Blue Cross Louisiana member or former member vacationed in one of those states or traveled there for work and while there, the Blue Cross Louisiana member had to see a doctor, the claim and data from that visit could be stored in Anthem’s computer system.
Anthem has said the data breach affected about 80 million people. Between 8.8 million and 18.8 million of those affected were not Anthem customers.
Since the cyberattack accessed 10 years’ worth of records, some of the 26,000 Blue Cross of Louisiana members affected may no longer be customers, Maginnis said.
Anthem, which recently changed its name from WellPoint, had said hackers stole names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.
Capello said data is stored in multiple, related tables. It’s possible that the hackers were only able to access part of the data, such as an email list or user name database.
Follow Ted Griggs on Twitter, @tedgriggsbr.