Up to 1.4 million Connecticut residents are affected by what the state attorney general is calling "one of the largest, most in-depth data breaches in history" targeting insurance leader Anthem Inc.
Gov. Dannel Malloy said in a news conference Thursday evening that about 200,000 of the state's 1.4 million affected Anthem customers are current or former state employees, retirees on the state health plan and their families. Comptroller Kevin Lembo said Anthem is one of two insurers providing coverage to state employees.
According to Anthem, “Cyber attackers executed a very sophisticated attack to gain unauthorized access to one of our parent company’s IT system and have obtained personal information relating to consumers and Anthem Blue Cross and Blue Shield employees who are currently covered, or who have received coverage in the past.”
Compromised information includes names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data.
The plans impacted include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
The Connecticut Insurance Department is working to assess the impact to customers and ensure plans are in place to protect policyholders, and Attorney General George Jepsen has launched an investigation into the breach.
“I am deeply concerned about this massive data breach," Jepsen said in a statement. "This morning, I sent a letter to Anthem requesting information about the security measures the company had in place prior to the breach, the circumstances that led to discovery of the breach and the measures Anthem is taking to ensure this sort of attack will not happen again."
In his letter to Anthem's chief executive officer, Jepsen asked that all affected Connecticut residents be provided with two years of free credit monitoring services, identity theft insurance and reimbursement for the costs associated with placing and lifting security freezes.
"Breaches in security like this one put innocent consumers at significant risk of financial and reputational harm, and those affected deserve adequate protection,” Jepsen said.
Anthem is investigating to determine which members are impacted and said in a statement that they will individually notify current and former members whose information has been accessed and offer credit monitoring and identity protection services for free.
The insurance carrier said it will send letters to affected customers in the coming weeks, but Malloy said during the news conference Thursday that he hopes weeks will become days.
U.S. Senator Blumenthal also discussed the breach in a Senate committee hearing on Thursday and said customers need to know that they data is secure to trust companies.
“This latest cyberattack is not only breathtaking in its scope and scale, it is potentially heartbreaking and life changing for the tens of millions of consumers and employees affected. Sadly, Anthem is only the latest case in a string of hacks and cyberattacks that have cost consumers tens of billions of dollars," Blumenthal said in a statement. These attacks are real and they hurt real people, and companies and universities collecting sensitive consumer data have an obligation to do more to protect that information.”
The state Insurance department is also providing the following resources to residents who want to protect themselves against cyberattacks: