Anthem to take ‘coming weeks’ to tell customers if breach affected them

The country’s second-largest insurer says customers whose information may have been compromised in a recent massive data breach will be offered credit monitoring and other services beginning Friday.

 

Anthem says it plans to send individual letters “in the coming weeks” to customers whose information may have been accessed in a cybersecurity attack discovered late last month.

It was responding to a group of 10 attorneys general, including Pennsylvania Attorney General Kathleen Kane, who urged the insurer to move faster to notify those affected by the breach announced on Feb. 4.

“[O]ur offices are receiving more and more communications from constituents expressing greater and greater frustration,” the group wrote. “The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers.”

Jan Levine, a lawyer with Pepper Hamilton specializing in health care litigation and data breach practices, said state laws vary on how long businesses can take to notify customers they’ve been affected by a data breach.

“It is not unusual that a company would take 30 days or a couple of weeks to be able to give more specific notice,” Levine said.

Devin Chwastyk, a lawyer with McNees Wallace & Nurick, said under Pennsylvania law, companies that have experienced a data breach must tell affected customers within a “reasonable time.”

“It is an amorphous concept,” said Chwastyk. “What ‘reasonable’ means is not set forth in the law.”

In the meantime, Anthem said it will provide credit monitoring, identity repair services, and other protections for two years to affected customers. Anthem President Jill Rubin Hummel said customers may sign up for the services “beginning this Friday.” Her letter, a response to Kane and the nine other state attorneys general, did not clarify if any customers would be notified by that point that they had, in fact, been affected by the data breach.

According to initial reports of the breach, personal information might have been swiped from as many as 80 million people. Possible affected Pennsylvanians include those served by Anthem, UniCare, or HealthLink medical plans, according to the attorney general’s office. Anthem has said cybercriminals might have accessed information of Blue Cross Blue Shield patients in all 50 states.