Is Anthem screwing dependents of former members on breach notification? (update 2: No)
Update 2 (March 12). Because Anthem gave me the run-around instead of a straightforward answer, I asked a mainstream reporter from a large news outlet to pose the question to them. He managed to get an answer:
Anthem is notifying all impacted members. The letters are being mailed as we speak. Because of the volume of letters, this process will take several weeks to complete so letters to individuals in the same household, for instance,might arrive at different times.
Now why couldn’t they have just said that when I asked them if dependents were getting individual notification letters? Sheesh…
Yesterday, my husband received a notification letter from Anthem about their massive data breach. I had forgotten that at one time, we had coverage through his employer. Our children and I were covered as his dependents.
And as I read what they sent him and looked at the AllClear ID signup web page, it dawned on me that Anthem does not appear to be directly notifying individuals whose SSN and DOB were in their database as dependents. In fact, if the former member of Anthem cannot or does not notify the formerly covered dependents, they may have no idea that they are at risk of identity theft.
Consider these scenarios:
Scenario 1. “John Doe” was insured by Anthem in 2004, and his then-wife and then-minor children were covered under his plan as dependents. Fast-forward to 2015, and John no longer speaks to his ex-wife after a bitter divorce. His children, who are now adults with their own credit histories and reports, are estranged from him, having sided with their mother in the marital breakup. John Doe gets the Anthem notification but doesn’t sign up his ex-wife or adult children for the AllClear ID service and doesn’t even tell them about the breach or offer of free credit protection.
Scenario 2. “John Doe” unfortunately passed away in 2013, two years after his wife passed away. His adult children have no idea that their personal information was compromised in the Anthem breach.
Yesterday, I emailed the Blue Cross Blue Shield contact for my state and asked about whether former dependents were being notified. I got no response.
Today, I tweeted the inquiry to @Antheminc and @askAnthem. Here was our exchange:
@AnthemInc @askAnthem Are the dependents of plan members being sent individual notifications, too? I can’t seem to find an answer to that.
— Dissent Doe (@PogoWasRight) March 10, 2015
@PogoWasRight We understand how you’re feeling. We can talk in depth if you email your ID# and contact info to [email protected]m.Thanks.^TW — Anthem (@askAnthem) March 10, 2015
They understand how I’m feeling because I asked them a simple question? Really? I replied:
@askAnthem Just answer the question, please: are those who were covered dependents being sent individual notification letters?
— Dissent Doe (@PogoWasRight) March 10, 2015
That was 10 hours ago. They didn’t respond.
So I emailed [email protected] and put the question to them. I did not enclose any information, as I don’t have it any more, and besides, it’s a general question for media purposes.
They didn’t respond, either.
So I sent a comment to NYS Attorney General Eric Schneiderman through his web site. Perhaps he’ll ask Anthem if they intend to individually notify dependents, and if not, why not. But if you read Anthem’s breach web site carefully, it certainly seems that they will only be notifying the former members and not any of their dependents – even though the dependents’ personal information would also have been on file.
My next step might be to file a HIPAA complaint with HHS alleging that Anthem is not meeting its mitigation obligations under HITECH if it is not notifying all individuals whom I think it should be notifying and it is not directly offering them the free credit protection services.
So, Anthem, if you’d like to respond to this commentary, please e-mail me and I will update this post. If you are notifying everyone, I’d be delighted to hear it, but then you can tell me why neither I nor our adult children have received notification letters.
But know this, Anthem: ignoring my questions won’t make me just go away quietly into the night. I’ll just continue to blog, tweet, and file complaints.
Does anyone think that storing personal information for so long for former members and their children and then not notifying everyone is an “unfair” business practice under Section 5 of the FTC Act? Discuss among yourselves.
Update 1, March 11: I received a response from [email protected] to my inquiry. Now keep in mind that @askAnthem told me to email [email protected] with my question, so I did. This is what a “Grievance/Appeals Analyst II (Social Media)” at [email protected] com replied:
Anthem encourages anyone with questions to go to AnthemFacts.com or call the toll free number 1-877-263-7995.
Seriously? I started with anthemfacts.com. And why should I have to call the toll-free number, who will likely ask me for information about our membership that I no longer have, just to get an answer to a simple question that likely affects tens of millions of people?
Under New York State’s data breach notification law, I believe Anthem is required to notify dependents as well as members – unless NYS gave them a waiver/permission to use a substitute media notice. But I don’t think that’s happened. So why hasn’t Anthem notified us and why won’t they affirm that they will be notifying all dependents for whom they were storing personal information on or after 2004?
Why won’t Anthem just answer the question? I do hope state attorneys general take note of how unhelpful and frustrating Anthem is being.