Health insurer Anthem Inc on Friday warned U.S. customers about an email scam targeting former and current members whose personal information was suspected to have been breached in a massive cyber attack.
The No. 2 U.S. health insurer said on Wednesday that hackers breached its computer system containing data on up to 80 million people.
Anthem said there was no indication the email scam was connected to those who perpetrated the security breach. It wants customers to know it is not calling members regarding the breach and not asking for credit card information or social security numbers over the phone.
The company said it will contact current and former members via mail delivered by the U.S. Postal Service about the attack.
Anthem confirmed media reports that data accessed by hackers had not been encrypted to prevent such a security breach.
"When the data is moved in and out of the warehouse it is encrypted. But when it sits in the warehouse it's not encrypted," Anthem spokeswoman Cindy Wakefield said.
Anthem needs to be able to easily access patient data in order to create the numerous reports it generates for customers and regulators as part of doing business, Wakefield explained. "I think that is standard practice," she added.
"How we managed our data in the warehouse has been appropriate," Wakefield said. "No one has pointed a finger and said you did this wrong and this is why this happened."
Several U.S. states are investigating the cyber attack on Anthem that a person familiar with the matter said is being examined for possible ties to China.
"The level of protection of this highly sensitive information is very much a focus of our investigation," said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen.
Cyber security has become a major concern for U.S. firms. Some of the biggest data breaches reported to date include those at retailers Target Corp and Home Depot Inc.
Wakefield said Anthem was not worrying about lawsuits by states or customers as a result of the security breach.
"Our first priority is to determine who was impacted and to notify our members," she said, adding that Anthem was working with cyber security experts on ways to prevent future attacks.
The insurer has been communicating with regulators and attorneys general in the markets where it does business, Wakefield said.
U.S. law does not specifically require sensitive health data be encrypted, said Washington lawyer Deven McGraw, an expert in healthcare privacy.
"Encryption is one physical safeguard that can be very helpful to lowering cyber security risk," McGraw said.
Anthem's shares were down 1.1 percent at $135.69 on the New York Stock Exchange.
(Reporting by Bill Berkrot and Karen Freifeld in New York and Anjali Rao Koppala in Bengaluru; Editing by Don Sebastian and Lisa Shumaker)