Anthem is under fire from attorneys general across the nation over a failure to communicate.
Last Wednesday, the health insurance provider revealed that it had been thein which hackers broke into servers and stole the personal information of as many as 80 million current and former members and employees. The attack compromised names, birth dates, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information, according to CEO Joseph Swedish.
Addressing Anthem members, Swedish also said there was no evidence that credit card or medical information was targeted or compromised.
The exposure of Social Security numbers, combined with the other information, puts people at risk since it could easily lead to identify theft. But at this point, Anthem customers are in a holding pattern, not knowing if their own personal data was stolen. Swedish promised that Anthem would individually contact every customer whose personal information was exposed in the hack and that it would provide free credit monitoring and identity protection services for such people. But the company has so far failed to honor that promise, according to the attorneys general from 10 US states.
In a letter sent to Anthem, the attorneys general said that "few follow-up details have been made available, and none at all about how individuals can sign up for the protections Anthem will provide them." The letter expressed "alarm" at Anthem's failure thus far to follow up with customers impacted by the hack.
In a statement on his website, Connecticut Attorney General George Jepsen said that Anthem's delay in informing people affected by the data breach is creating more concern among the health insurer's customers. Gepsen added that his office has been "flooded" with calls from Anthem customers in Connecticut frustrated by the lack of information from the company so far.
The letter to Anthem by Jepsen was sent on behalf of attorneys general from Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island:
As the days pass with no direct communications from Anthem, our offices are receiving more and more communications from constituents expressing greater and greater frustration. Their frustration is justified. The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers. We are also concerned that delays in providing protections to the victims of this breach compounds the risk they face.
Anthem must communicate detailed information without any further unnecessary delay. Further, Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access to credit and identity theft safeguards.
In the letter, Jepsen asked Anthem to contact his office with details on its plans no later than 3 p.m. ET on Wednesday, February 11.
On Tuesday, Anthem said that it was committed to informing customers impacted by the data breach in a timely manner and that it was working with an outside vendor on the credit monitoring and identify theft services.
"We have laid out a thoughtful plan with this vendor so that they can accommodate what we anticipate will be very high demand for these services," Anthem said an a statement sent to Reuters. "We plan to communicate to members very soon, about how exactly they can enroll."
Anthem did not immediately respond to CNET's request for comment.