(UPDATED 9 Feb: (1) To clarify that Anthem has in fact sent out a generic email about the breach, but will only contact you by regular mail if your own information is breached and (2) to announce that I will appear on NPR’s Diane Rehm Show to discuss this breach on Tuesday 10 Feb. The show airs live at 10am ET in Washington, DC but may run at different times on other NPR stations.)
Most recent retail store data breaches have resulted in thieves only obtaining credit and debit card numbers; it makes a mess, but an easy one to clean up and the few consumers who become fraud victims are quickly made whole. The credit and debit card laws that go into effect in “existing account fraud” are quite strong. Also, bank card security systems are usually quick to detect attempted fraud (our Target breach tips explain what to do in retail fraud circumstances and include the advice “Don’t Panic”). In some cases, such as the Target breach, the thieves may also obtain email addresses and phone numbers. With these additional data points, the thieves can use “phishing” emails or “social engineering” phone calls to attempt to get you to give up the additional information needed to commit the more serious problem called identity theft.
The Anthem hackers, on the other hand, reportedly obtained that mother lode of information on up to 80 million consumers all at once — including employers, birth dates, social security numbers, medical account numbers, phone numbers, and home and email addresses (but no medical records).
These data points could be used to commit a variety of more serious frauds, including obtaining your tax refund, obtaining medical care in your name and also committing financial identity theft, when new accounts are opened in your name by the thief.
Here are some consumer tips, noting that Anthem has sent out an email to members announcing the corporate breach, but made it clear that it will only contact you by regular postal mail if your sensitive information is included in the hacked information.
1) Don’t click on any links in emails claiming to be from Anthem. Some may be malicious. These are probably not even from the actual hacker, but are garden-variety phishing scams that follow any breach. These are designed either to install malware on your computer or get you to give up financial details that will allow them to access your accounts or open new ones in your name. (People who don’t have Anthem coverage will receive these also. Any spammer with an email list can send these out.)
2) Anthem has committed to only contact you by regular mail if your personal information has been breached. Even if you think an email is from Anthem, do not click on any email links. Separately log on to anthem.com by typing the letters in that url yourself if you want to confirm information in the email. Malicious emails may appear to re-direct to anthem.com, but actually do not. Retype either anthem.com or the name for the firm’s special tips website (Anthemfacts.com) with more information.
3) Monitor Your Credit Reports and Bank Accounts: All consumers have the right to a free credit annually from each of the three big credit bureaus as explained on this U.S. Federal Trade Commission (FTC) website, which describes how to go online at the government-mandated free credit report website or how to call or mail if you don’t like webpage links. Citizens of seven states — Colorado, Georgia (2/year), Maine, Maryland, Massachusetts, New Jersey and Vermont — can obtain an additional annual free report under state law (you generally need to call each credit bureau, Equifax, Experian, and Trans Union). If you stagger these three or six (or in Georgia, nine) requests over a 12-month period, you essentially have a free credit report monitoring service.
4) Consider a Fraud Alert Now: Consumers who suspect they are identity theft victims can add a 90-day, renewable initial fraud alert to their credit reports (which also entitles you to an additional free credit report). If you know you are an identity theft victim and file a police report or FTC affidavit demonstrating this, you can request a permanent fraud alert. More on fraud alerts from the authoritative Privacy Rights Clearinghouse.
5) Consider the “Peace of Mind” of a Security Freeze on Your Credit Reports: Ten years ago U.S. PIRG, along with Consumers Union, drafted a model state security freeze law, and with the help of AARP and others, it rapidly became law in 47 states until the credit bureaus finally capitulated and agreed to provide freezes in all jurisdictions. A security freeze prevents “new” credit from being issued in your name but allows your existing creditors to look at your report. It’s the only way to prevent financial identity theft, since new creditors who cannot see credit scores or reports will not open new accounts. A freeze requires more work by you; if you want to apply for a new credit card or a home re-fi, you’ll need to temporarily “lift” the freeze (you can do this on a targeted creditor basis). A typical freeze costs $10 ($30 for 3) and $5-10 each time it is temporarily lifted. A few states offer free security freezes for identity theft victims or senior citizens. Learn more here from Consumers Union.
6) Don’t Pay For Expensive Credit Monitoring, But Take It For Free From Anthem: A freeze is much less expensive, and 100% more effective, than over-priced “credit monitoring” services sold by the credit bureaus and other firms for as much as $19.99/month (also, the FTC has fined Experian, a credit bureau, and Lifelock, an identity theft service, for misleading sale of these products and has warned numerous others). We will be “monitoring” Anthem’s expected offer of “free” credit monitoring, and will strongly oppose it if it is set to automatically convert to paid credit monitoring at the end of the free offer. Nevertheless, due to the serious nature of this breach, it’s ok to take it for free.
7) Update Critical Passwords: It’s always a good idea to use different, robust passwords for all your important accounts. And it’s a good idea to update them regularly.
8) Several State Attorneys General and Other Officials Recommend Filing For Tax Refunds as Soon As Possible: See, for example, this alert from Connecticut officials.
Of course, watch your bank accounts, watch your email and be suspicious of any phone calls. By the way, never give out information to an incoming caller. Hang up and call the number on your Anthem card or your credit card. Watch carefully for any additional information from Anthem as the story continues to develop. We expect that state Attorneys General will be demanding additional steps be taken by the firm. U.S. PIRG has additional identity theft tips here.
There is one other twist to this story. Some suspect that this breach may have been state-sponsored hacking, possibly by China. Some experts suspect that the real target is specific individuals working for specific companies. The hacked information will be used to conduct “spear-fishing attacks,” which, just as they sound, are not random. Anthem customers may be only be a secondary target. Getting into another firm, with better security, for espionage purposes, may be the hackers’ unconfirmed goal.
Please be vigilant. This is a serious breach, but don’t panic.
Senior Director, Federal Consumer Program, U.S. PIRG Education Fund
Ed oversees U.S. PIRG’s federal consumer program, helping to lead national efforts to improve consumer credit reporting laws, identity theft protections, product safety regulations and more. Ed is co-founder and continuing leader of the coalition, Americans For Financial Reform, which fought for the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, including as its centerpiece the Consumer Financial Protection Bureau. He was awarded the Consumer Federation of America's Esther Peterson Consumer Service Award in 2006, Privacy International's Brandeis Award in 2003, and numerous annual "Top Lobbyist" awards from The Hill and other outlets. Ed lives in Virginia, and on weekends he enjoys biking with friends on the many local bicycle trails.