RE: February 10, 2015 letter to Mr. Swedish concerning Anthem, Inc. Data Breach

Dear Mr. Jepsen:

I read with interest the letter you recently sent to Mr. Swedish, President and CEO of Anthem, Inc., on behalf of yourself and several other state Attorneys General, with regard to their recent massive data breach. The focus of your letter appears to have been primarily regarding the passage of time and inherent delay in their direct notification of the more than 80 million affected individuals, regarding the details of the breach and how they may take advantage of the offering of credit monitoring. While it is certainly important that impacted individuals affected by this breach be notified promptly, with all due respect, I believe that your letter misleads consumers.

Anthem is planning to offer the individuals affected by this data breach a credit monitoring and credit repair service. While this is useful in addressing the potential harms of certain types of financial identity theft, it is ineffective in addressing the potential harms resulting from medical identity theft.

Medical identity theft affected more than 2 million Americans in 2014 based on the soon to be released Medical Identity Theft study from the Ponemon Institute. Stolen medical identity is exponentially more valuable than other forms for personal information, such as credit card or other financial account information. A medical identity is now valued at up to $50 per record on the dark web, whereas a stolen Social Security number only sells for $1. Cybercriminals are monetizing medical identities up to 50 times more than financial identities. Further, the Medical Identity Fraud Alliance notes that “medical identity theft and fraud constitute a major societal problem exerting pressure on our healthcare and financial ecosystems.”

The greatest and longest lasting potential harms that are likely to affect the individuals impacted by the Anthem breach will be medical identity theft. As a result, it can have devastating impact on individuals, be difficult to detect, and be very costly to repair.

It is for these reasons that I would encourage you to consider that some type of medical identity monitoring, to complement the credit monitoring, should be an essential requirement to offer the more than 80 million individuals affected by the Anthem breach in order to protect them from this serious harm. Credit monitoring—and your encouragement of this—is potentially a misleading “security blanket” to those already impacted.

Our company, ID Experts, has more than eleven years of experience in helping consumers address the harms of both financial and medical identity theft, including when the exposure has occurred due to a data breach. Our point of view on this issue is based on a lengthy history working with companies and consumers. We know that you are concerned and committed to serve your constituents and I encourage you to take a stand and demand more.

If I can be of assistance in providing further information on the harms of medical identity theft or solutions for medical identity monitoring, please feel free to contact me.

Yours truly,

Bob Gregg
Chief Executive Officer
ID Experts Corporation
cc: All Other State Attorneys General