Cyber Attack Strikes UC’s Health Insurer, Student Information Compromised

Anthem, the health insurer for several UC campuses, including Irvine, announced last Thursday that it was the target of a cyber attack that compromised sensitive information about its members: UC students, employees and retirees who are insured through the university’s health plan.

The nation’s second-largest medical insurance company is the network provider and claims administrator for students who are subscribed to the university’s health plan. Additionally, vision insurance for UCI undergraduates is covered handled by Anthem. Certain UC employees as well as retirees and their dependents were also covered by Anthem from 2003 through Jan. 1, 2014.

Compromised information included names, dates of birth, member ID numbers, Social Security numbers, addresses, phone numbers, email addresses, as well as employment and income data.

One upside is that students’ Social Security numbers are safe as Anthem does not possess them.

Previously, Anthem covered all 10 UC campuses. Currently, however, only students at UC San Francisco, Hastings College of Law, UC Santa Cruz, UCI, UCLA and San Diego are under Anthem’s umbrella.

Currently, it is unclear how many students and employees, who are part of Anthem’s network of 80 million members, are included in the attack.

Anthem will individually contact those whose information was compromised by mail, providing them with free credit monitoring and identity protection services. The company will only be using written communication to contact affected members. It will not call or email.

UC was also notified of a phishing scam that seeks to take advantage of those who may be affected by the attack. It warned members about a fake email that uses Anthem’s logo, the scam offers a year of free credit card protection.

Anthem has hired a security firm to investigate which members were affected, as well as how the attack occurred. So far, the investigation has shown no evidence that medical information, such as claims, diagnostic results or information regarding doctors and hospitals, has not been stolen. Also, the company has said that no credit card information was stolen.

According to The Wall Street Journal, the hack was facilitated by the unencrypted nature of the data. Data protected by always-on encryption is unwieldy for companies to manage, so they often strike a balance between ease of access and security. An Anthem spokeswoman told the publication that the company encrypts its data when its being transferred between different databases. When it’s residing on Anthem’s servers, however, the data is protected by elevated credential protocols, but is not encrypted.

Although federal law states that insurance companies must address data protection in their security practices, encryption is not actually mandated.

The attack was conducted with the stolen credentials of an Anthem systems administrator.