Alexander, Murray Urge Anthem to Notify All 78.8 Million Americans Affected in Cyber Attack

WASHINGTON, D.C., March 18 – Senate health committee Chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) today urged Anthem, Inc., to notify all 78.8 million Americans—including nearly 800,000 Tennesseans and 450,000 Washingtonians—whose sensitive personal information may have been exposed in a cyber attack discovered in January.

In a letter to Anthem, the committee leaders note that more than a month and a half after a cyber attack identified on January 29, 2015, “more than 50 million Americans … have yet to receive notice directly from Anthem” that their personal information—including addresses, birth dates, employer information, Social Security numbers and email addresses—may have been compromised, exposing them to resulting security threats like identity theft.”

The senators write, “…[T]he highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far.  We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification. This slow pace is of particular concern given that many of the individuals whose information has been compromised are not Anthem customers and may still be unaware that their information was contained in the attacked database.”

They continue, “We formally request that you provide a clear action plan that accelerates the current pace of notification and ensures that all affected families receive notification in the upcoming days.  …This is a critical and pressing issue, and while we understand there are many complications given the size and scope of the attack, we look forward to your response by April 1, 2015 on your progress and a clear target for when you will have reached out to every affected individual.”

Last month, Alexander and Ranking Member Murray announced an ongoing Senate health committee oversight initiative to examine the security of health information technology and the health industry’s preparedness for cyber threats.

The full text of the letter is below:

Joseph Swedish

President and Chief Executive Officer

Anthem Incorporated

120 Monument Circle

Indianapolis, IN 46204

Dear Mr. Swedish:

We write with concerns about Anthem Incorporated’s response to the recent cyber-attack that you have stated you discovered on January 29, 2015, and made public on February 4, 2015, and which affects 78.8 million Americans.  Reports have indicated that one of your databases may have been accessed as early as April 2014, and that many of your policy holders and customers’ personal data could have been in the wrong hands for a significant period of time.  While we appreciate your efforts to keep our Committee informed of your efforts to respond to the attack after you became aware of it, we are troubled by Anthem’s delay in notifying these 78.8 million Americans.

More than a month after discovery of the breach, the vast majority of Americans affected by this attack – more than 50 million in fact – have yet to receive notice directly from Anthem that their personal information has been compromised, or information about the services that are available to them to protect themselves and their loved ones from resulting security threats like identity theft.

It is our understanding that the information belonging to the 78.8 million Americans, and accessed as a result of this attack, includes addresses, birth dates, and employer information, as well as Social Security numbers and email addresses in many cases.  While we understand the logistical challenges associated with contacting millions of people, the highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far.  We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification.

This slow pace is of particular concern given that many of the individuals whose information has been compromised are not Anthem customers and may still be unaware that their information was contained in the attacked database.   For example, Anthem does not issue insurance policies in either of our states, yet according to Anthem’s own analysis nearly 800,000 Tennesseans and nearly 450,000 Washingtonians have experienced the theft of personal information as a result of this security breach. Additionally, your own reports indicate approximately one quarter of those affected in our states – including more than 100,000 children in Tennessee and more than 26,000 children in Washington state – are Medicare or Medicaid patients serviced by Anthem.

Your staff has gone to great lengths to outline to the Committee the services you are making available to these nearly 80 million Americans.  We are pleased that you are providing credit monitoring and repair services for two years for those individuals whose information was compromised, but we find it alarming that so many Americans remain unaware of their situation and unable to benefit from these options. 

We formally request that you provide a clear action plan that accelerates the current pace of notification and ensures that all affected families receive notification in the upcoming days.  We additionally request that you outline how your efforts will comply with federal and state laws and guidelines that require timely notification for customers whose data has been lost in a data breach or cyber-attack.  

This is a critical and pressing issue, and while we understand there are many complications given the size and scope of the attack, we look forward to your response by April 1, 2015 on your progress and a clear target for when you will have reached out to every affected individual.

# # #