A MESSAGE FROM COMPTROLLER LEMBO

Dear Fellow State Employee,

This message is to notify all state employees that Anthem, Inc. � one of two health insurance providers for the State of Connecticut�s employees and retirees � was the target of an extensive cyber-attack that resulted in a data breach that has potentially exposed all of its customer data such as names, addresses, social security numbers, birth dates, and other information.

A full investigation by Anthem and federal law enforcement is underway to determine the extent of the breach.

State officials, including myself, have met with Anthem officials to discuss remedies for current and former employees, retirees and their dependents � as well as any other Connecticut consumers whose information may have been compromised.

We have called for � and Anthem has guaranteed � at least two years of credit monitoring, identity theft insurance and other protections for those Connecticut state employees, retirees and dependents who may be affected. These voluntary protections will be retroactive to the time of the breach. Once Anthem confirms the enrollment steps they�re offering, we will circulate that information as soon as possible. Anthem will also notify individuals by U.S. mail once they identify whose information was compromised. That identification process is ongoing.

We are working closely with Anthem to better understand the details of this attack and the effect on our members. In the meantime, here is what we know:

• Once Anthem determined it was the victim of a sophisticated cyber-attack, it immediately notified federal law enforcement officials and shared the indicators of compromise with the HITRUST C3 (Cyber Threat Intelligence and Incident Coordination Center).
• Anthem�s Information Security has worked to eliminate any further vulnerability and continues to secure all of its data.
• Anthem immediately began a forensic IT investigation to determine the number of impacted consumers and to identify the type of information accessed. The investigation is still taking place.
• The information accessed includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, and email addresses.
• Anthem is still working to determine which members� personal information was accessed.
• Anthem�s investigation to date shows that no credit card or confidential health information was accessed.
• Anthem has advised us there is no indication at this time that any of our members� personal information has been misused.
• All impacted Anthem members will be offered identity theft monitoring and credit monitoring services for two years. Anthem will soon provide affected members with information by U.S. mail on how to enroll in this protection.

Members who may have been impacted by the cyber-attack against Anthem should be aware of scam email or phone campaigns targeting current and former Anthem members. Email scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.

• DO NOT click on any links in email.
• DO NOT reply to the email or reach out to the senders in any way.
• DO NOT supply any information on the website that may open if you have clicked on a link in email.
• DO NOT open any attachments that arrive with email.
• DO NOT respond to unsolicited calls about this matter from individuals who may claim to be Anthem representatives, particularly if they attempt to verify your personal information

For additional information, members are directed to the following resources:

• www.anthemfacts.com which includes a link to Frequently Asked Questions.
• State of CT dedicated Customer Service Line at 1-800-922-2232.
• Attorney General George Jepsen and state Department of Consumer Protection Commissioner Jonathan A. Harris are advising all Connecticut residents who may be affected by the breach to report any suspicious activity on their credit report or other financial accounts to law enforcement immediately. Suspicious activity can also be reported to the Office of the Attorney General’s Privacy Task Force by emailing attorney.general@ct.gov or calling 860-808-5318.
• State Department of Consumer Protection. http://www.portal.ct.gov/dcp/cwp/view.asp?a=4302&q=560456.
• State Department of Revenue Services: http://www.portal.ct.gov/drs/site/default.asp.
• Federal Trade Commission:  http://www.consumer.ftc.gov/articles/0275-place-fraud-alert.
• Internal Revenue Service, http://www.irs.gov/Individuals/Identity-Protection