Cyberattack Touches 39,000 Arkansas Consumers With Blue Cross Plans

Feb 26, 2015

Some 39,000 Arkansas consumers were impacted by the massive data breach that hit one of the nation’s largest insurance carriers in late January, including nine individuals who had their Social Security information breached, Arkansas Blue Cross and Blue Shield spokesman Max Greenwood told Talk Business & Politics on Wednesday.

The news of the data breach comes nearly four weeks after insurance giant Anthem Inc. announced that cyber thieves executed a sophisticated attack that gained unauthorized access to the insurance giant’s system, obtaining personal information on nearly 80 million people.

Anthem, one of the nation’s largest health insurance companies, owns Blue Cross Blue Shield plans in 14 states, and recently said it was “working diligently” with the FBI to research the impact and notify members. FBI investigators have said they suspect Chinese hackers may be responsible for the sophisticated attack.

Greenwood said consumers who were or are currently covered by Anthem or other independent Blue Cross plans were affected by the massive security breach, including Arkansas’ largest health insurer.

“The information that we have received from Anthem tells us 39,000 Arkansans were impacted,” Greenwood said. “Unfortunately, there were nine of those individuals who did have their Social Security information compromised. They will be notified and encouraged to sign up for (fraud and identity theft) protection they are offering.”

According to a Wall Street Journal story on Tuesday, the Anthem database that was penetrated in the hacker attack included personal information for 78.8 million people, including 60 million to 70 million of its own current and former customers and employees.

The figures, offered by an Anthem spokeswoman, provided extra detail beyond what Anthem disclosed earlier this month, the article said.

At the same time, Arkansas Blue Cross initially said in a Feb. 5 post on the insurer’s website that there was no evidence that any of its members were affected in the Anthem cyberattack. However, the Arkansas insurer did say at the time it “would stay on top of situation and keep our members informed” if anything changed.

Greenwood said that the Arkansas insurer had recently received updated information from Anthem officials showing that 39,000 Arkansans were among the millions of other Blue Cross and Blue Shield plan holders affected by the breach.

The hackers were able to gain access to names, dates of birth, Social Security numbers, addresses, emails and some business information, but Greenwood said no health data or medical history information was breached.

Founded in 1948, Arkansas Blue Cross is the largest health insurer in Arkansas. Arkansas Blue Cross and its family of affiliated companies have more than 2,500 employees. The Arkansas insurer is also a member of the Blue Cross and Blue Shield Association which is comprised of 37 independent, locally-operated Blue Cross and Blue Shield Plans.

Greenwood reiterated several times that the Arkansas insurer was not responsible for the security breach.

“You can have someone living in Arkansas and have coverage with another state Blue plan,” she said. “With regards to details of the cyberattack, they (Anthem) are involved in the investigation and we are not.”

Currently, because of the volume of people affected, both Blue Cross and Anthem are in the process of notifying those individuals who were impacted as records are reconciled. “We will be sending letters to affected members (in Arkansas) next week,” Greenwood said.

According to Anthem, current and former Anthem Blue Cross members dating back to 2004 are being offered identity repair assistance and credit monitoring services through AnthemFacts.com. Identity theft repair services are available to Anthem members who feel they have experienced fraud. Members who have been impacted by the cyberattack will automatically receive those services and do not have to enroll.

Meanwhile, Blue Cross officials are not the only Arkansas insurers expressing concern about the Anthem breach. Stephens Insurance LLC sent out an email compliance alert last week that provided answers to some of the concerns that employers may have about the Anthem cyberattack.

To date, the Arkansas Insurance Department has not issued any media or consumer-related bulletins concerning the Anthem cyberattack. Department officials were out of the office on Wednesday due to inclement weather at the State Capitol.