US health insurance giant Anthem is warning current and former customers affected by a recent data breach that their details are already being used by email scammers trying to elicit even more personal information from them.
In a press release on Friday, the firm claimed that phishing emails had already been spotted in the wild, spoofed so they appear to come from Anthem and offering a 'click here' link for fraud monitoring.
It added that it would never call on members regarding the cyber attack to ask them for credit card information or social security.
Anthem continued:
“This outreach is from scam artists who are trying to trick consumers into sharing personal data. There is no indication that the scam email campaigns are being conducted by those that committed the cyber attack, or that the information accessed in the attack is being used by the scammers.
Anthem will contact current and former members via mail delivered by the US Postal Service about the cyber attack with specific information on how to enroll in credit monitoring. Affected members will receive free credit monitoring and ID protection services.”
Anthem, the second biggest health insurer in the US, also pointed customers towards an FTC site for more information on how to spot scam emails.
Experts had already pointed out to Infosecurity that phishing attacks might occur after the insurer revealed last week that it had suffered a data breach which is currently being investigated by security firm Mandiant and the FBI.
It’s still not clear how the attackers breached Anthem, and how many customers and former customers may be at risk, but the signs don’t look good.
The Californian insurance commissioner Dave Jones last week ordered a review into Anthem’s response to the breach, claiming that as many as 80 million policyholders and employees could be affected.
He had the following in a statement:
"Health insurers have not only consumers' financial information but also sensitive medical information. Although early reports from Anthem indicate that medical information was not breached, the information reportedly taken does open the door to identity theft and fraud against tens of millions of consumers. The Anthem breach underscores the need for insurance companies to take every precaution to protect their customers' information and make their consumers whole when a data breach occurs"
Apart from the potential fines, investigation and remediation costs and brand damage, Anthem will also have to defend itself against legal action.
The class action lawsuit, filed by Cohen and Malad LLP, alleges that the firm “failed to safeguard the personal information of current and former clients.”
It adds that this is the second breach for Anthem, after it was fined $1.7m in 2010 for a breach involving 612,000 people.
Kevin Epstein, vice president of advanced security and governance at Proofpoint, warned that Anthem customers may have to be on their guard about identity theft and other scams for months or even years to come.
“Anyone who thinks they may have been impacted by this breach should contact their credit agency and issue a fraud lock, protecting consumers from having their personal information used to open new lines of credit,” he added.
“In terms of personal health information, if it is revealed that this was stolen, consumers must immediately engage with law enforcement officers."