This story was co-published with USA Today.
One consumer was the victim of hacking attacks on two different health insurers; a company’s privacy officer didn’t realize that health insurer Anthem even had her data. “It gives you a new perspective when you’re actually one of the folks whose data is disclosed.”
As the privacy officer for The Advisory Board Co., Rebecca Fayed knows a thing or two about privacy and what can happen when it’s violated.
But when Fayed received a letter telling her that she, like nearly 80 million others, was the victim of a hacking attack on health insurer Anthem Inc., she couldn’t figure out why. Anthem wasn’t her insurance provider.
“I had no idea that Anthem even had my data,” Fayed told a gathering of privacy professionals recently at the National HIPAA Summit in Washington, D.C. “I went running around the house, ‘Why does Anthem have my data?'”
Fayed soon figured out the connection: Her previous insurer, a Blue Cross plan, was affiliated with Anthem in some way. Whoever hacked Anthem’s records accessed names, Social Security numbers, dates of births, addresses and more going back a decade.
Many of those caught up in the recent string of medical data breaches are experiencing similar confusion and concern as they receive notifications from insurers. They wonder what real-world repercussions the exposure of their health care information could bring.
The Anthem breach, announced in early February, affected some 78.8 million people. Premera, another insurer based in the Pacific Northwest, recently disclosed that hackers had accessed records of 11 million people. The plans are offering several kinds of support, including credit monitoring for two years, but consumers must take steps proactively to enroll in that service.
When retailers such as Target and Home Depot have suffered data breaches, they have exposed credit card numbers, which can be canceled, containing the damage. The hacking of health insurance data is more troublesome, revealing the keys to a person’s identity.
Julie Grimley, 46, a content editor for an educational software startup, initially assumed the Anthem breach wouldn’t affect her because her family had coverage through CareFirst BlueCross BlueShield. Then she got letters informing her that her data, along with that of her husband and 15-year-old daughter, might have been compromised.
“At this point, I’m not sure what the best thing” to do is, said Grimley of Gaithersburg, Md. “I really don’t.”
Grimley said she is most worried about her daughter. “She’s already starting the college process,” she said. “Her life is starting. This could be really serious. I should be worried about me too but we’re established. … I’ve read horror stories and think, ‘Oh my gosh.'”
Anthem spokesman Darrel Ng said the company finished mailing letters notifying those affected during the week of April 3. The process took two months because of the number of people affected and to not overwhelm its credit-monitoring vendor, AllClear. “Anthem initially started by sending out 1.5 million letters a day and eventually ramped up to about 2.5 million per day,” he wrote in an email.
Anthem said it has tried to reach people in other ways, including by email and through a website, AnthemFacts.com. Ng said he did not know how many people had signed up for the credit monitoring, but anyone can seek help in clearing up credit reports and contesting false charges for the next two years.
Premera also has set up a website with information, premeraupdate.com. It has notified 6 million members in Washington and Alaska affected by the breach and is working to notify members of other Blue Cross plans if they sought care in those states. As of April 1, more than 194,000 people had enrolled in credit monitoring, Premera spokeswoman Melanie Coon said by email.
The Department of Health and Human Services’ Office for Civil Rights, which oversees compliance with federal patient privacy law, is investigating the Anthem and Premera breaches. If the agency determines the insurers did not take adequate steps to protect members’ health information, it could impose steep fines.
Bethesda, Md., resident Eric Forseter and his family managed to fall victim to both the Anthem and the Premera hackings.
Forseter’s wife and son received letters dated March 4 from their health insurer Premera telling them that some of their information—but not their Social Security numbers–was compromised in the Anthem breach. Days later, they received additional letters saying they also were victims of Premera’s own breach, which affected not only Social Security numbers, but also medical claims information.
Forseter, 40, who works for an IT security and identity management company, said he doesn’t know how his family’s information got ensnared in the Anthem breach but suspects it may have happened because his son had to see a doctor while in New York. He’s gotten nowhere when he’s called the insurers’ customer- service line for answers.
“I don’t think they really know half the stuff that’s happening,” he said. “Unfortunately they’re reading a canned script and all they want to do is say, ‘Well, sorry.'”
Forseter said he is considering legal action against the insurers for failing to safeguard his family’s information. He called the offer of two years of credit monitoring inadequate.
“If data was stolen then sold and sold many times over, then potentially three to five to 10 years from now, that data could be used and I’d have to pay for my own coverage and I’m at risk,” he said. “I’m responsible for covering it.”
Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance, an industry group, said consumers are right to be nervous. Medical identity theft poses a more serious risk than credit card fraud. “You really can’t change your birth date. So when that kind of information is out there, the type of fraud that is perpetrated in the health care sense involves your wellbeing, your life.”
If an imposter attempted to receive medical care using a patient’s name, she said, it could attach a false diagnosis to the patient’s medical records and delay care when the patient really needs it.
Patterson recommends that consumers take several steps if they have been affected. First, they should sign up for the free credit monitoring, which alerts people to possible suspicious activity if it happens. “If you became a victim, you would be notified as soon as possible,” she said, noting that it doesn’t prevent fraud. Beyond that, consumers should review all insurance forms, hospital bills and other medical correspondence they receive. If something doesn’t look right, don’t throw it out, Patterson said; make a phone call to clarify what has been sent.
“Some reason people think, ‘I was not the patient, so why should I call that hospital?’ Definitely call the provider and the health plan to make [sure] both parties know that you are not the patient. You should report it to your local law enforcement so you have a record that it was reported from a legal standpoint.”
For some victims, the Anthem and Premera breaches have been all too familiar.
Bill Speaks, 61, who works in mainframe software for the U.S. Department of Interior in Colorado, said he was also a victim of the Home Depot hacking attack last year, as well as one involving his bank, and he believes he was also a victim of the Target hack. Moreover, he said, his driver’s license was stolen when he had surgery at a hospital about three years ago. That may have resulted in someone opening up an account and running up charges in his name, he said.
Speaks said he’s fed up.
“No one is looking out for us and no one at the higher levels of these organizations are suffering any consequences because of their lax security,” he said.
Fayed’s company provides research, technology and consulting services to health care and higher education organizations, and she said the flow of personal information is essential to delivering medical treatment and to arranging payment. “We as individuals are never going to be able to know every single entity that has our data,” she said.
At the same time, Fayed said her personal experience with the Anthem breach allows her to see it from the other side. “It gives you a new perspective when you’re actually one of the folks whose data is disclosed. It’s a real-life perspective.”
We’re not backing down in the face of Trump’s threats.
As Donald Trump is inaugurated a second time, independent media organizations are faced with urgent mandates: Tell the truth more loudly than ever before. Do that work even as our standard modes of distribution (such as social media platforms) are being manipulated and curtailed by forces of fascist repression and ruthless capitalism. Do that work even as journalism and journalists face targeted attacks, including from the government itself. And do that work in community, never forgetting that we’re not shouting into a faceless void – we’re reaching out to real people amid a life-threatening political climate.
Our task is formidable, and it requires us to ground ourselves in our principles, remind ourselves of our utility, dig in and commit.
As a dizzying number of corporate news organizations – either through need or greed – rush to implement new ways to further monetize their content, and others acquiesce to Trump’s wishes, now is a time for movement media-makers to double down on community-first models.
At Truthout, we are reaffirming our commitments on this front: We won’t run ads or have a paywall because we believe that everyone should have access to information, and that access should exist without barriers and free of distractions from craven corporate interests. We recognize the implications for democracy when information-seekers click a link only to find the article trapped behind a paywall or buried on a page with dozens of invasive ads. The laws of capitalism dictate an unending increase in monetization, and much of the media simply follows those laws. Truthout and many of our peers are dedicating ourselves to following other paths – a commitment which feels vital in a moment when corporations are evermore overtly embedded in government.
Over 80 percent of Truthout‘s funding comes from small individual donations from our community of readers, and the remaining 20 percent comes from a handful of social justice-oriented foundations. Over a third of our total budget is supported by recurring monthly donors, many of whom give because they want to help us keep Truthout barrier-free for everyone.
You can help by giving today. Whether you can make a small monthly donation or a larger gift, Truthout only works with your support.