US health insurer Anthem has revealed the fallout from its massive cyber breach could be far greated than previously thought, announcing that between 8.8 million to 18.8 million non-customers could be victims of the attack.
Anthem, the USA's second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.
Those Blue Cross Blue Shield customers may have been affected by the breach because their records were included in the database that was hacked, the company said.
It is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.
Anthem updated the total number of records accessed in the database to 78.8 million customers from its initial estimate of 80 million, which includes 14 million incomplete records that it found.
Anthem does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, which prevent it from linking all members with their plan, Anthem spokeswoman Kristin Binns said.
Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the black market.
Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed. The spokeswoman added that the company's investigation was ongoing. Federal and state authorities are also investigating.
Anthem runs Blue Cross Blue Shield healthcare plans in 14 states, while plans in states such as Texas and Florida are run independently. In all, 37 companies cover about 105 million people under the Blue Cross Blue Shield license.
Binns said the company still believes the hacked data was restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.
Anthem will start mailing letters next week to Anthem customers and other Blue Cross Blue Shield members affected by the hacking. It will offer them two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.