data breach

I have Anthem. What should I do?

Cartoon by Gary Varvel

So since the Anthem data breach occurred, several people who either currently have or have had Anthem coverage have asked me what they should do.  To the best of my knowledge, Anthem has not yet sent out any notification letters informing individuals that their specific information was breached.  But, Anthem seems to know the universe of individuals whose information may have been compromised, and this is what they are using to notify the general public about the scope of the breach that has occurred. Anthem has set up a website to provide information about what happened and what data may have been compromised. For the time being, they are saying that if you are or have been a client of Anthem’s affiliated health plans and/or a member of other independent Blue Cross and Blue Shield plans in the last 10 years (essentially since 2004), you may be impacted.  Many companies who offer insurance through Anthem have posted links or emailed their employees about the fact that the breach occurred.  For my colleagues here at UConn, you may have seen that Kevin Lembo, the Comptroller for the State of Connecticut, has posted a notification to State Employees about the breach on the Office of the State Comptroller’s website.

So back to my post from yesterday:  I have just learned that my information may have been compromised in the Anthem Breach; what do I do?  Well, first I would start with Anthem’s informational website they created about the breach.  Anthem is offering an option for individuals who may have been impacted by the breach to protect themselves for the next 24 months (and some of the services carry over beyond 24 months depending on what you choose to do).

More information about what Anthem is offering through AllClear ID can be found here. But to get you started, AllClear ID is offering a couple of different options to those impacted by the Anthem breach:  AllClear Secure and AllClear PRO.  The services are very different.

So should you consider the services offered through AllClear ID?  Is AllClear ID reputable?  Is taking a wait-and-see approach and using AllClear Secure if you find your identity has been harmed later the right approach? What about the fact that you would have to give AllClear ID your social security number to enroll in AllClear PRO?

Enrolling in services such as those provided by AllClear ID is a personal choice.  If you are not opening up new credit any time soon (i.e., buying a car, opening a credit card, buying a home), you may be comfortable waiting or monitoring your credit on your own. If you are going to be opening up new credit, or do not want to monitor your credit on your own, you may want to consider AllClear PRO as an option.

Yes, AllClear ID is a known entity.  They have handled numerous of the large breaches.  In full disclosure, they are the vendor that UConn has used when we have had data breaches in the past. There are certainly other reputable companies in the marketplace that offer credit monitoring and/or identity repair services.  Your bank and credit card companies likely offer services as well.  Again, how you personally monitor your credit and your own sensitive information is a personal choice.

BUT, be aware that there are also scam artists out there looking to further take advantage of the vulnerability you are now feeling.

So here are my suggestions:

  1. Read the notifications you receive from your employer, on Anthem’s general breach information websites and should you receive one, direct notification to you from Anthem.
  2. Read the options that Anthem is offering through AllClear ID.  Call AllClear ID at 877-263-7995 and ask questions of their advisors if you feel you need more information about the services available.
  3. Think about your own personal situation.  Decide what (if any) sort of credit monitoring, protection, insurance and/or assistance might be useful for you.
  4. And again, going back to my blog post from yesterday, visit the Federal Trade Commission’s (FTC) identity theft information page, the Better Business Bureau, your State’s Attorney General (here is Connecticut’s) or Consumer Protection agencies, and the credit bureaus (Experian, Transunion, Equifax) for more information and other options to assist you.

I’ve just learned I’m a victim of a data breach. Now what?

So when I start writing most blog posts, I try to come up with an interesting blog title to grab your attention.  See above.  Check!  Next, I search the web for a great graphic (usually I Google it!) to add to the post.  For this post, I Google’d the phrase “data breach victim.”  Try Google’ing that and see what comes up.  I was hoping I might find a cartoon of a person looking defeated or scared.  Something witty by a cartoonist or journalist who could really capture what a data breach victim feels after learning his or her identity has been stolen.  But instead (spoiler alert!), what came up was a page full of brand marks of several of the largest corporations hit by hackers and data thieves in the last year or so. Here are just a few of the first ones that came up:

targetimage neimansimage michaelsimage anthemimage1 homedepotimageApparently, and quite properly, humor (and even sarcasm) are not the first reactions by anyone, including the cartoonists, when it comes to data breaches.  I scrolled through more than a hundred images (mostly breached company logos) before coming to one cartoon.  Serious stuff.

The first cartoon that came up kinda summed it up nicely, though:


You shop at a major retailer.  You work for a large corporation.  You are a client of an insurance company.  And you learn that the organization you shop at, your work for or who helps insure you that you trusted with your personal and/or financial information has been hacked.  You feel victimized.  You feel, well… exposed.  So what do you do next to protect yourself?

First, take a deep breath.  You may be frustrated, angry at the organization who you trusted to protect your data or wondering if your credit has been or will be compromised. Data breaches have become so common, that fortunately there are many resources to help you.

One of the most concise resources I found that summarized the steps you should take immediately, and then later if you do find your stolen data has been used is from the Federal Trade Commission (FTC).  There is a wealth of good information on the FTC’s page, including information about particular types of identity theft (medical, tax, children, etc.) and forms and sample letters to help you navigate various options to protect your information, or restore your identity if it has been harmed.  But assuming you have just learned that your information was involved in a data breach, here is the best way to get started according to the FTC:

Identity Theft

Identity theft happens when someone steals your personal information and uses it without your permission. It’s a serious crime that can wreak havoc with your finances, credit history, and reputation — and can take time, money, and patience to resolve.

What to Do Right Away

Immediate Steps to Repair Identity Theft

Here’s how to begin to limit the harm from identity theft.

What to Do Next

Extended Fraud Alerts and Credit Freezes

Placing both extended fraud alerts and credit freezes on your credit reports can make it more difficult for an identity thief to open new accounts in your name.

Repairing Your Credit After Identity Theft

Here are step-by-step instructions for disputing fraudulent charges and accounts related to identity theft.

Lost or Stolen Credit, ATM, and Debit Cards

Federal law limits your liability if your credit, ATM, or debit card is lost or stolen, but your liability may depend on how quickly you report the loss or theft.

There are many other great resources out there to guide you as well.  The Better Business Bureau, your State’s Attorney General (here is Connecticut’s) or Consumer Protection agencies, and the credit bureaus (Experian, Transunion, Equifax)  are great places to start from tips and road maps as well.


Stop! Thief!

thiefcard  thiefphone  thieflicense

If you are or were a customer of Anthem, identity theft is probably on your mind right about now.  I’ll have more on the Anthem data breach later, but for now, it might be a good idea to revisit a Blog entry I originally published in January of 2013.  Here is an excerpt with some practical tips about protecting your sensitive personal data that might be of particular interest to identity thieves.

Taking Care of Your Personal Information

What can you do to diminish the chances that you will become the victim of identity theft?  Here are some pointers:

  • Watch out for imposters!  Make sure you know who is asking for your personal or financial information and why they are asking for it. Don’t give out personal information on the phone, through the mail or online unless you’ve initiated the contact or know who you’re dealing with.
  • Manage your records.  Do not keep paper or electronic records that contain sensitive personal information longer than you need to.  Make sure you store your records that contain sensitive personal information in a secure location.
  • Properly dispose of paper records.  When disposing of paper records, do not throw documents with personal information on them in the trash.  Shred, shred shred!
  • Clear your mobile device before you get rid of it.  Before you dispose of a mobile device (such as your smartphone) check your owner’s manual, the service provider’s website, or the device manufacturer’s website for information on how to delete information permanently, and how to save or transfer information to a new device properly.
  • Encryption as a tool.  Consider encrypting files or even computer hard-drives that contain sensitive information.
  • Update security features.  Make sure that you update security and antivirus features and install patches on your computer regularly.
  • Monitor your credit.  Monitor your credit with each of the 3 major credit bureaus.  Federal law requires nationwide consumer reporting companies to provide you with a free credit report, at your request, once per year.
  • Password protection.  Protect your password the same way you would protect other sensitive personal information about yourself.  Create complex passwords and have different ones for each account if possible.  Do not share you passwords with anyone.
  • Do they really need my SSN?  Think twice (or 3 times!) before you give out your Social Security Number. If someone asks you to share your SSN, ask that person why they need it, how it will be used, how they will protect it, and what happens if you don’t share it with them.
  • Be wise about Wi-Fi.  Before you send personal information over your laptop or smartphone on a public wireless network in a coffee shop, library, airport, hotel or other public place, see if your information will be protected.
  • How social should I be?  Do not overshare on social networking websites.  Avoid posting personal information, such as your birth date or address.  Also consider how much you post about your life.  Identity thieves can use what you post to answer common challenge questions on your accounts, such as your credit card.
  • Think you might be the victim of identity theft?  Want to be prepared just in case?  The Federal Trade Commission, the Identity Theft Resource Center and provide excellent information regarding what to do if you become a victim of identity theft.