News about the Anthem insurance database hacking keeps getting worse: initial reports suggested that the hackers got access to the records of up to 80 million current and former customers.
Then came news that the hacking first announced in early February 2015 most likely dates back to the previous April – in other words, hackers enjoyed nine months of access to Anthem's database before anyone at Anthem knew about it.
Does this mean anyone who's been an Anthem customer since April 2014 needs to worry about hackers accessing their data? More than that: late last week the company admitted that some of the customer data lost in the breach dates as far back as 2004.
On Anthemfacts.com, the website Anthem set up specifically to deal with news of the hacking, the company said that it would offer two years' worth of credit-monitoring services to “current or former members of an affected Anthem plan dating back to 2004”:
“This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, Unicare and HealthLink. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Virginia, and Wisconsin.”
To sign up for this coverage, potentially affected customers can click this link to learn how, or you can wait to see if Anthem contacts you first, since the company says it will notify everyone whose data was actually compromised.
Ignore emails, texts
These notifications will be printed on paper and sent through the U.S. mail. If you've received any email or text messages purporting to be from Anthem, delete them at once, and especially don't click on any links or download any attachments those messages might contain; such messages are actually scammer-bait. Anthemfacts.com explicitly says that “Anthem will also individually notify potentially impacted current and former members by U.S. Postal mail.” No other forms of communication are mentioned.
That said: if you contact Anthem about the hacking (or any of the countless other reasons you might need to talk to your health-insurance company), it's certainly possible that an Anthem representative will later call or email you in response. How can you tell the difference between a legitimate message from Anthem, and a missive from a scammer?
Probably the single most important thing to remember comes from the scam alert Anthem posted on its own “Investor relations” website: “Anthem is not calling members regarding the cyber attack and is not asking for credit card information or social security numbers over the phone.” (Anthem's not unique in this regard: no legitimate, non-scammy company or organization asks for such information over the phone or unsolicited messages; only scammers ever do.)