Anthem data breach latest scare for health insurers
The nation’s second largest health insurer, Anthem (which includes several major Blue Cross and Blue Shields brands), has reported a major data breach. Last Wednesday, security personnel discovered a hack in which cyber thieves accessed the names, birth dates, social security numbers, addresses and member IDs of up to 80 million current and former policy holders. Anthem’s President and CEO, Joseph R. Swedish, in a letter to its current and former members said that through its initial analysis of the breach “there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” Nevertheless, the impact of this breach is significant.
Anthem’s immediate actions and communications to its members suggest that the insurer had a well orchestrated, proactive cyber-security response plan in place. Anthem quickly moved to evaluate the breach once it was discovered. Anthem notified the FBI (and has provided on-going cooperation in the ensuing investigation) and hired its own top-tier cyber security firm to provide forensic services. Members were provided access to a website (www.AnthemFacts.com) and a toll free number (877-263-7995) to receive updates on the breach and answers to frequently asked questions. In addition, Anthem will be notifying affected members and providing them with credit monitoring and identity theft protection services.
Despite Anthem’s response to date, it will take some time to determine exactly who has been impacted by – and the extent of – the breach. Accordingly, security experts would urge those whose personal information may have been compromised to take the following steps on their own:
- Monitor existing financial accounts
- Sign up for individual credit alerts/reports and identity theft protection
- Sign up for fraud alerts
- Change various account passwords
- Be wary of emails relating to the breach – phishing scams designed to have victims provide personal information in response to these emails will be prevalent.
The backlash has already begun. An Indianapolis lawyer filed a class-action lawsuit in U.S. District Court against Anthem less than 12 hours after the attack was reported. By mid-day Thursday, the Anthem response website had received over 256,000 hits.
While the company has received praise for immediately alerting customers and government officials about the attack, this isn’t the first time the company has suffered a breach. In 2010, hackers accessed the health information of over 600,000 of its customers that led to a $1.7 million settlement with U.S. Department of Health and Human Services due to HIPAA violations from the disclosure of public health information.
Since its 2010 attack, Anthem claims it hired 200 security specialists and doubled the amount of money spent on cyber-security. A recent PricewaterhouseCoopers study reveals that information security incidents rose 60% last year alone in the healthcare sector. However, these threats are not limited to companies in this industry. Despite sound risk management practices and data breach preparedness, hackers have been successful at targeting some of the world’s leading financial, business and retail institutions. Now, more than ever, it is critical for companies to evaluate how to mitigate the damage from cyber attacks and transfer part of this risk.
Anthem, like other previously impacted companies, will likely incur enormous costs and expenses to investigate and respond to the cyber breach and provide notice, credit monitoring and other identity theft services to affected members. Companies with well crafted cyber insurance policies may have coverage for many of these costs.
Even in the early aftermath of the Anthem breach, much can be learned both by companies vulnerable to a cyber attack and individuals who might fall victim to hackers. Proactive data breach initiatives and cyber insurance will not eliminate cyber threats, but certainly are critical to dealing with an already widespread problem that appears to be gaining momentum.
(See WGA’s Anthem Healthcare Breach Resource Center for further information)
About the Author
Michael Talmanson is a Vice President at WGA in the Property and Casualty Group and leader of the firm’s Technology and Cyber Risk Practice. He advises high technology, life sciences and financial services companies about insurance and risk management matters.