By Bill Berkrot and Joseph Menn
(Reuters) - Health insurer Anthem Inc on Friday warned U.S. customers about an email scam targeting former and current members whose personal information was suspected to have been breached in a massive cyber attack.
The No. 2 U.S. health insurer said on Wednesday that hackers breached its computer system containing data on up to 80 million people.
Anthem announced the warning about the email scam in a statement, saying they purport to come from Anthem and ask recipients to click on a link to obtain credit monitoring. Anthem advised recipients not to click on links or provide any information on any website.
The company said it will contact current and former members about the attack only via mail delivered by the U.S. Postal Service. It is not calling members regarding the breach and is not asking for credit card information or Social Security numbers over the phone.
Anthem said there was no indication the email scam was connected to those who perpetrated the security breach.
The insurer acknowledged that data accessed by hackers had not been encrypted, as is the normal practice at many companies.
"When the data is moved in and out of the warehouse it is encrypted. But when it sits in the warehouse, it's not encrypted," Anthem spokeswoman Cindy Wakefield said.
Anthem needs to be able to easily access patient data in order to create the numerous reports it generates for customers and regulators as part of doing business, Wakefield explained. "I think that is standard practice," she added.
"How we managed our data in the warehouse has been appropriate," Wakefield said. "No one has pointed a finger and said you did this wrong and this is why this happened."
But Richard Marshall, a former senior cyber security defence expert at the U.S. National Security Agency, said the numbers should have been encrypted.
"Social Security numbers can be sold to people who are here illegally," said Marshall, who now advises private security firms. "Identity theft is a major issue."
In a separate case on Friday, Intuit Inc temporarily halted electronic state tax return filings by its customers after detecting what a spokeswoman said was identify theft-driven fraudulent returns seeking refunds. She said the fraud had not been tied to any specific breach, including that at Anthem.
Intuit said late Friday it had resumed electronic filings of state tax returns.
Experts at other companies said they believed that Anthem attacks would eventually be tied to one of the most sophisticated hacking groups in China, which security firm CrowdStrike calls Deep Panda and which reportedly began targeting the healthcare industry last year.
"We've seen the Deep Panda actor registering domain names that were haelth-sector specific and could be potentially tied to victims," said Adam Meyers, CrowdStrike vice president of threat intelligence.
Social Security numbers and health data might interest spies for other nations who want to build portfolios of information about U.S. government employees, for leverage or more targeted attacks, experts said.
Chase Cunningham, a threat researcher at security firm Firehost and former NSA cryptology expert, said that over the past year he had seen more searches originating from China for broad swaths of data, instead of the previously more typical attempts at trade secret theft.
Several U.S. states are investigating the cyber attack on Anthem.
"The level of protection of this highly sensitive information is very much a focus of our investigation," said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen.
Cyber security has become a major concern for U.S. firms. Some of the biggest data breaches reported to date include those at retailers Target Corp and Home Depot Inc.
Wakefield said Anthem was not worrying about lawsuits by states or customers as a result of the security breach.
"Our first priority is to determine who was impacted and to notify our members," she said, adding that Anthem was working with cyber security experts on ways to prevent future attacks.
The insurer has been communicating with regulators and attorneys general in the markets where it does business, Wakefield said.
U.S. health privacy law does not specifically require that all sensitive data be encrypted, said Deven McGraw, a partner in the healthcare practice of law firm Manatt, Phelps & Philipps.
"Encryption is one physical safeguard that can be very helpful to lowering cyber security risk," McGraw said.
Anthem's shares closed down 1.1 percent at $135.69 (89 pounds) on the New York Stock Exchange.