The country’s second largest health insurer, Anthem, just announced their database, with private information for all 80 million current and previous customers, was recently hacked. As an Anthem Blue Cross member, I am assuming that my information was hacked, given that all Anthem brands were impacted.
Names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data were all compromised in the hack.
“Cyber attackers executed a very sophisticated attack to gain unauthorized access to one of Anthem’s IT systems and have obtained personal information relating to from consumers and Anthem employees who are currently covered, or who have received coverage in the past.”
Sophisticated? Anthem doesn’t even encrypt their databases! Side note: they are idiots not to spend the nominal amount of money to encrypt data, and since there are a lot of idiotic corporations out there that only look at the immediate bottom line, it should be immediately written in to law that all companies with private customer data (and especially those with Social Security numbers!) encrypt their data. That it’s not required from corporate America is a very serious privacy and economic threat to all Americans.
Anthem’s response time on this data breach has also been awful. I found out through the press versus directly through the company. And while they just reached out to the press this week to disclose this, I did a little homework and found out that:
- Anthem’s data hack FAQ website, anthemfacts.com, was registered with GoDaddy on December 13, 2014 – almost two months prior to the announced hack.
- It probably took weeks or months for Anthem to decide how to handle the situation BEFORE they registered the domain name.
- It could have taken weeks or months BEFORE that for Anthem to discover the data was hacked in the first place.
And they still haven’t gotten in touch with customers (or at least me):
“We continue working to identify the members who are impacted. We will begin to mail letters to impacted members in the coming weeks.”
In other words, these hackers have probably a 4-6 months head start on Anthem and you protecting your data and identity. Wouldn’t want urgency to get in the way of profits or a perfectly executed PR strategy now, would we?
Hackers are not that slow. So, I’m taking matters in to my own hands – and you should too.
Unfortunately, medical identity theft is often not immediately identified by patients or their provider, giving thieves years or even decades to use the data to steal identities. Medical data is more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. And since Social Security numbers stay with you FOR LIFE, you may have to spend the rest of your life looking over your shoulder.
I can’t guarantee that the following will protect you from any future threat (since hackers could sit on this information for months or years before selling it or using it). But, the following is certainly better than the alternative of doing nothing and waiting for Anthem to offer the lowest-cost face-saving measure.
1. Submit an Initial Fraud Alert
Initial fraud alerts last for 90 days and require businesses to take extra steps to verify your identity before issuing credit, for example, by opening new accounts or increasing credit limits. When someone uses your Social Security Number to apply for something, i.e. a credit card or loan, that requires a credit check, the credit reporting agencies have to send your phone number to the creditor, and the bank has to call me to confirm that I applied.
When you submit an initial fraud alert, the credit bureau you submit it with is required to notify the other two credit bureaus that they also activate an initial fraud alert. So you only need to do one. Here are your options:
- Equifax initial fraud alert site, or 1-800-525-6285
- Experian initial fraud alert site, or 1-888-397-3742
- TransUnion initial fraud alert site, or 1-800-680-7289
Initial fraud alerts are free.
2. Monitor your Credit Reports Closely
Look for any damage already done and in the future. I highly recommend using Credit Karma (free) for this, as they now have free continuous access to Equifax credit reports and TransUnion credit reports (annualcreditreport.com only offers 1 report from each bureau per year). In particular, look at all open accounts and look for any recent credit inquiries that you did not initiate. Credit Sesame and Credit Karma also offers free credit monitoring – a service the credit bureaus all charge $15+ for per month.
If you believe information in your file results from identity theft, you have the right to ask that a consumer reporting agency block that information from your file. And a creditor or other business must give you copies of applications and other business records relating to transactions and accounts that resulted from the theft of your identity, if you ask for them in writing.
3. Put a Calendar reminder to Renew your Initial Fraud Alert Every 90 Days OR Submit an Extended Fraud Alert
The initial fraud alert does only last for 90 days. So, you have two options:
- remind yourself to renew the initial fraud alert every 90 days
- submit an extended fraud alert, which lasts 7 years
If you choose the extended fraud alert, you will also have to provide an identity theft report. An identity theft report includes a copy of a report you have files with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit.
Extended fraud alerts are free, and when you place with one, you are also placing it with all three:
4. Continuously Monitor your Bank, Credit Card and Other Financial Account Statements for Any Unusual Activity
5. Keep an Eye Out for Tax Fraud and Submit your Return Early!
Remember my warnings about tax fraud? Turbotax and other e-file providers have previously temporarily shut down e-file submissions due to huge upticks in fraudulent tax returns.
If a theft has your Social Security Number, it makes it easy for them to submit a refund request in your name. You must protect yourself from e-file identity theft fraud. Submit your return as early as you can to beat them to it and request an E-File PIN.
Also, sign up for USPS Informed Delivery ASAP to monitor what is on the way to your mail box (and what doesn’t make it there).
6. Submit a Credit Freeze, if you Have Been Targeted
A credit freeze puts a lock on your credit report so the bureaus are forbidden from releasing it without your express consent. The freeze must be filed with each credit bureau individually. As of September 21, 2018, free credit freezes (and thaws) are available to all Americans. When you submit a freeze, note that before applying for a job or credit card, buying insurance, obtaining a mortgage or giving anyone access to your credit report, you must ask the bureau to lift the freeze. It’s a pain the ass, but if you have for sure been targeted, it might be worth the peace of mind.
Exhausting, right? What a colossal waste of time, resources, and money. To help prevent this in the future, it’s time to require every company with Social Security numbers and other targeted identity theft information to at least encrypt all data. Write your congressperson, again.
Note: a credit freeze is similar to a credit lock, but with more consumer protections.
Update: Check out my follow-up to this post on how to protect your identity in an unprotected world. and an even more recent follow-ups on how to protect yourself from the Equifax hack.
Check out the FTC’s website on identity theft for more suggestions.
really sorry to hear about this. it’s amazing to me the amount of responsibility one has when a company screws up so royally. frankly anthem should take responsibility and pay for a fraud alert for every person in their database.
on a side note: my least favorite words are “we don’t accept email, but you can fax it to us”, but a close second is “must be submitted in writing”.
And to top it off, Turbotax has temporarily halted transmitting state tax returns due to widespread fraud – people are trying to file and getting rejected with notices that their returns have already been filed! Great advice on filing early for that reason – I can rest easy knowing mine is in already.
On another note – I started using a password manager program, and I’m a huge fan. (I use Dashlane, which I pay for – I’m willing to since it not only increases my level of security, but also saves me loads of time from having to look up my password each time I return to some old website. There is a free version, though, and Lastpass is another well-reviewed program . . . ) Having the same password for everything is yet another way to increase vulnerability, and these programs will alert you if there’s been a breach and you should immediately change certain passwords.
+1 to password managers. i use keepass (i run linux) the truth is, for most sites i have no idea what my password is. they’re big, ugly, unique, and no trouble at all.
We use KeePass on Windows and our Android phones – great for syncing up so my husband and I both have the passwords to all accounts. I don’t always use the big ugly auto-generated ones, but it has made me more mindful of using long passwords and I can use different ones for each site without having to remember “Was the password to this one GreatBankingResource or IL0veMyB4nk ?”
Yes – I posted on Facebook/Twitter yesterday regarding Turbotax. Is it crazy to think that the Anthem hack and huge spike in tax fraud are not just a coincidence?
Hey G.E. Another great post…. It’s frustrating that many companies do not take responsibility for their negligence and all the stockholders care about is “how much money did we make this quarter”… it makes me sick to my stomach.
According to this article it is illegal for companies not to encrypt the data. Haven’t done any research to see if this is true or not.
That’s incorrect. Other than that, the Lifehacker article looks awfully familiar to this one…. hmm….