Hacked healthcare corporation Anthem has had to issue a special warning to current and past customers as hackers have already started to work though records purloined earlier this year.
"Individuals who may have been impacted by the cyber attack against Anthem, should be aware of scam email campaigns targeting current and former Anthem members," the firm said in an advisory.
"These scams, designed to capture personal information (known as 'phishing') are designed to appear as if they are from Anthem and the emails include a 'click here' link for credit monitoring. These emails are NOT from Anthem."
The credible-looking emails are being spammed out purporting to be from the credit monitoring agencies Anthem has hired to deal with the data leak announced on Wednesday. Anthem is warning all customers not to click on any links, download any software, or share any data with the senders, saying it will contact customers by snail mail only.
Anthem said that there's no indication that this first wave of attackers is using stolen data or email addresses from its servers. Rather, they are merely attempts by enterprising scumbags to cash in on the event.
A lot of people are going to be scared silly enough to fall for such scams, however, thanks to the scale of Anthem's cock-up – which is much bigger than first thought. The firm is the second largest health insurance company in the US, with around 37 million customers at the moment. But following the breach, it admitted the number of individual records snatched could be as high as 80 million, including those of many past customers.
Anthem is insisting that no medical records were accessed and that no credit card data was stolen. That's cold comfort, as the records do include names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data – in other words, everything you'd need for a serious identity-theft smorgasbord and then some.
One question Anthem has repeatedly declined to answer is whether or not the stolen data was encrypted, although reports have said that it was not. Company spokesman Darrel Ng gave El Reg the following statement:
"Anthem’s database was accessed after bypassing our security protocols. Because an administrator’s credentials were compromised, additional encryption would not have thwarted the attack."
It gets worse
Anthem is going to have to explain its actions however, both to regulators and in court. California's Department of Insurance has announced a probe into the incident and will be coordinating its actions with other state insurance bodies to find out what went wrong.
"Although early reports from Anthem indicate that medical information was not breached, the information reportedly taken does open the door to identity theft and fraud against tens of millions of consumers," said Information Commissioner Dave Jones.
"The Anthem breach underscores the need for insurance companies to take every precaution to protect their customers' information and make their consumers whole when a data breach occurs. We are conducting a review to confirm that the company takes the appropriate steps to protect and assist consumers and guard against future breaches."
Having state officials sniffing around your servers is bad enough, but lawsuits have already started flying. In Anthem's home state of Indiana, the first class-action suit has already been filed by legal firm Cohen & Malad.
The suit claims that Anthem was negligent in not protecting customer data, particularly in light of previous hacking incidents at the company. It points out that the FBI issued an alert in April of last year that health insurance companies were being targeted and claims that Anthem's failure to protect its customers' data was negligent.
The lawyers want a judgment against Anthem of over $5m and are inviting customers to sign up to share in the bounty. A jury trial has been requested.
Disclosure: Anthem is the health-insurance firm used by El Reg in the US. ®