In addition to roughly 80 million Anthem customers, nearly 20 million more individuals who aren’t customers of the health insurer could ultimately wind up implicated in this month’s massive data breach.
The company disclosed yesterday that between 8.8 million and 18.8 million Blue Cross Blue Shield customers’ records may have been storoed in the database that was hacked. Anthem is part of a network of independent BCBS plans, and the latest batch of affected customers may have used their BCBS insurance in states such as Texas or Florida where the company runs partnerships.
It’s the first time the company has disclosed information regarding the breach as it relates to data other than its own since the compromise was announced on Feb. 5.
Anthem spokeswoman Kristin Binns spoke to Reuters yesterday to confirm the breach’s figures further, adding that the company has updated the number of records accessed to 78.8 million, down a few ticks from its initial figure of 80 million.
It’s still difficult to quantify the breach’s exact numbers however because those 78.8 million records include 14 million incomplete records which complicates the tally because the users can’t all be linked to their plan, according to Binns. When all is said and done, including the non-Anthem BCBS customers, there’s a chance the total number affected by the breach could reach close to 100 million.
Representatives with the company did not immediately reply on Thursday to a request for comment.
The company will reportedly begin next week mailing letters to both Anthem customers and Blue Cross Blue Shield customers affected by the breach and as is usually the case with breaches of this magnitude, offer them two years of identity theft and credit monitoring support.
The company’s CEO Joseph Swedish said earlier this month that the company was “the target of a very sophisticated external cyber attack.”
“These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members,” Swedish said in a statement.
Since an investigation around the attack is still ongoing, Binns couldn’t speculate further, but did tell Reuters that it’s continuing to operate under the notion that the information was stolen, instead of being merely accessed.
The hack, the latest in a series of attacks on the healthcare industry, saw hackers make off with customers’ names, birthdays, medical IDs/Social Security numbers, street addresses, email addresses and employment information, including income data.