Health insurer Anthem (ANTM) warned U.S. customers Friday about an email scam targeting former and current members whose personal information was suspected to have been breached in a massive cyberattack.
The No. 2 U.S. health insurer said Wednesday that hackers breached its computer system containing data on up to 80 million people.
Anthem said there was no indication the email scam was connected to those who perpetrated the security breach. It wants customers to know it is not calling members regarding the breach and not asking for credit card information or social security numbers over the phone.
The company said it will contact current and former members via mail delivered by the U.S. Postal Service about the attack.
Anthem confirmed media reports that data accessed by hackers hadn't been encrypted to prevent such a security breach.
How we managed our data in the warehouse has been appropriate. No one has pointed a finger and said you did this wrong and this is why this happened.
Anthem needs to be able to easily access patient data in order to create the numerous reports it generates for customers and regulators as part of doing business, Wakefield explained. "I think that is standard practice," she added.
"How we managed our data in the warehouse has been appropriate," Wakefield said. "No one has pointed a finger and said you did this wrong and this is why this happened."
Several U.S. states are investigating the cyberattack on Anthem that a person familiar with the matter said is being examined for possible ties to China.
"The level of protection of this highly sensitive information is very much a focus of our investigation," said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen.
Cybersecurity has become a major concern for U.S. firms. Some of the biggest data breaches reported to date include those at retailers Target (TGT) and Home Depot (HD).
Wakefield said Anthem wasn't worrying about lawsuits by states or customers as a result of the security breach.
"Our first priority is to determine who was impacted and to notify our members," she said, adding that Anthem was working with cybersecurity experts on ways to prevent future attacks.
The insurer has been communicating with regulators and attorneys general in the markets where it does business, Wakefield said.
U.S. law doesn't specifically require sensitive health data be encrypted, said Washington lawyer Deven McGraw, an expert in health care privacy.
"Encryption is one physical safeguard that can be very helpful to lowering cybersecurity risk," McGraw said.
Anthem's shares were down 1.1 percent at $135.69 on the New York Stock Exchange.