- Data breach notification letters about the Anthem breach are not being sent out in timely enough fashion, according to Senate health committee leaders.
Senate health committee Chairman Lamar Alexander and Ranking Member Patty Murray wrote a letter to Anthem President and CEO Joseph Swedish, calling for notification letters to be sent to all 78.8 million potentially affected individuals.
The Anthem data breach was discovered on Jan. 29, 2015, but the company waited until Feb. 4, 2015 to make a public announcement. The databases were potentially accessed as early as April 2014, the lawmakers wrote, which means personal data could have been in the wrong hands for some time.
“While we appreciate your efforts to keep our Committee informed of your efforts to respond to the attack after you became aware of it, we are troubled by Anthem’s delay in notifying these 78.8 million Americans,” Alexander and Murray stated in their letter.
More than 50 million Americans have yet to receive a data breach notification letter, according to the duo. These individuals have not officially been told that their personal information was potentially exposed and have not been given information on identity protection services.
“While we understand the logistical challenges associated with contacting millions of people, the highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far,” Alexander and Murray wrote. “We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification.”
Moreover, Alexander and Murray requested a clear and concise action plan that ensures that all potentially affected individuals receive data breach notification letters “in the upcoming days.” The Senate leaders also asked that Anthem outline how its efforts comply with federal and state laws and guidelines about the notification process.
The slow pace is disconcerting because many individuals who are impacted by the data breach are not even Anthem members. Therefore, they might not have any idea that their personal information was even in the database that was attacked. As an example, Alexander and Murray said that hundreds of thousands of individuals in each of their respective states were affected by the Anthem data breach. Anthem insurance policies are not issued in either Tennessee or Washington, but Anthem’s own reports said that one-quarter of those affected in those two states are Medicare or Medicaid patients serviced by Anthem.
Even so, the Senate leaders did commend Anthem on the services it is making available to affected individuals. Two years of credit monitoring and repair services is great, but it is “alarming” that many Americans are still unaware that they can use those services.
In February, Alexander and Murray also initiated discussion on data encryption requirements as part of a bipartisan review of health information security. In a statement, Alexander said that he looked forward to working with Murray to determine data breach prevention methods and how Congress could potentially help.