Anthem Health Care Hack Snared Federal Employees Who Weren’t Anthem Customers

Michael Conroy/AP

But who knows how many?

A month after detecting a data breach, Anthem, a Blue Cross and Blue Shield federal employee benefit provider, either does not know or won't comment publicly on how many federal employee plan members are affected by the hack. 

Over the past week, Anthem has disclosed more details on the extent of a December 2014 database compromise that allowed unidentified attackers to view sensitive personal information. The incident is now known to have affected current members of Anthem’s own federal benefits BCBS plan, which includes 1.3 million individuals, according to the company’s website.

Separately, it was revealed that certain federal BCBS plan customers who aren't Anthem members might also be affected. The incident also entangled an unknown number of former plan members.

An FAQ on Anthem's website reads, "based upon the investigation thus far, it appears that Blue Cross and Blue Shield Federal Employee Program plans members are impacted." 

On Thursday, Anthem officials would not say how many current and former BCBS federal employee plan members are victims based on the latest data.

Some of the uncertainty can be chalked up to incomplete records on about 14 million federal or nonfederal individuals.

"Despite our best efforts to attribute all members to a group, product or plan, a subset of unknown members still exists," Anthem spokeswoman Leslie Porras said in an emailed statement.

"Unknown members are those that lack the necessary data elements" to associate them with a particular plan, she added. "When not enough fields are present, member assignment cannot be positively confirmed and the member record can only be categorized as incomplete." It is believed that most of the incomplete records belong to former customers.

According to the Blue Cross and Blue Shield website, as of October 2014, the BCBS Federal Employee Program Benefit Plan, or FEP, covered more than 5.3 million individuals, including Anthem federal plan members.

Anthem runs the BCBS federal employee plan in Virginia, California, New York and several other states.

Referring to the extent of the breach across all BCBS plans, Porras said, “Blue Shield members who used their Blue Cross and Blue Shield insurance in a state where Anthem operates over the last 10 years” were affected.

In total, 78.8 million individuals might have had their personal information exposed, according to the company. Between 8.8 and 18.8 million of those people were not Anthem customers.

When contacted by Nextgov, the Office of Personal Management did not provide figures on the number of affected employee plan members, either.

“Anthem is continuing to keep OPM abreast of its efforts to ensure the security of its systems as it investigates the extent of the breach," an agency spokesman said in an email, after being asked about efforts to support federal Blue Cross and Blue Shield customers. 

So far, there is no indication diagnosis or treatment information was seen by the intruders.

The private information potentially viewed includes names, dates of birth, member identification numbers, Social Security numbers, phone numbers and employment information.

Those personal details are all an ID thief needs to file fraudulent medical claims and hurt a customer's financial well-being, according to many security experts.

Ponemon Institute study released this week reported 65 percent of medical ID theft victims paid more than $13,000 out-of-pocket to clean up their good names.

On average, they spent 200 hours coordinating with insurers and providers to secure their credentials; checking the accuracy of personal health information, invoices and e-health records; and paying off the outstanding medical bills. 

Anthem is offering free credit monitoring and identity protection services to all affected customers. 

The Ponemon study was completed before the company’s breach, an event the insurer detected on its own Jan. 29.  Anthem came forward about a week after the discovery – a reaction time faster than that of most hacked companies, in any sector.

Click here for a full list of independent Blue Cross and Blue Shield plan affected by the breach