When a massive data breach struck retailer Target during the midst of the 2013 holiday season, consumers responded by shopping at other stores and its brand was briefly tarnished. Now, Anthem, the nation’s largest Blue Cross operator, finds itself in a similar position. But switching health insurers is a whole lot more complicated than heading over to another store.
Anthem said it discovered the data breach a week ago, and its IT team was able to contain it and quickly notify the Federal Bureau of Investigation. But the damage could be devastating for as many as 80 million past and present customers and employees of the nation’s second-largest insurer.
“The information accessed includes names, birthdays, Social Security numbers, street addresses, email addresses and employment information, including income data,” said CEO Joseph Swedish in a letter posted on anthemfacts.com, a dedicated website the company established to help relay information to those exposed by the hack.
“I want to personally apologize to each of you for what has happened,” Swedish wrote, “as I know you expect us to protect your information.”
The company said no sensitive medical data or credit card information appears to have been compromised, but with Social Security numbers and birth dates, it is easy for thieves to commit fraud.
The company plans to pay for credit monitoring and identity protection for those affected.
It is likely that many of the costs tied to the breach will be picked up by Anthem’s insurer, analysts said, and the company reaffirmed its 2015 earnings forecast. Anthem shares fell less than one percent Thursday in the wake of the news.
“No one is immune to the cybersecurity threat, even the most sophisticated organizations. We believe that customers understand these challenges that everyone faces,” said Brian Wright, health care analyst at Sterne Agee. “As these attacks have become more commonplace, the impact to brand becomes less relevant.”
But the company will still have some work to do to win back trust and prevent members and providers from leaving its plans. Currently, Anthem has 37 million members across 13 states in the both the private and government insurance markets, and the insurer has some of the largest networks of providers.
Leerink analyst Ana Gupte said members in many markets won’t have too many options to choose from, but the scope of the breach is still a problem for the insurer.
“Clearly, it is a crisis. They have to manage this properly,” said Gupte. “They have to assure their customer base that they are taking this very seriously.”
Because of federal provisions on securing health-care data, the health-care industry is more apt to obtain insurance to cover a breach, according to Marsh and McLennan data. In 2014, 50 percent of health-care firms had coverage, compared with about a third of institutions in the education industry and just over 20 percent of financial institutions.
To obtain insurance coverage, companies need to meet certain standards for protecting against cyberthreats, but security amounts to a race that has no end, said Peter Beshar, executive vice president and general counsel at Marsh.
“We need to constantly evolve. There is a technological solution to some of these aspects,” he said. “Greater degrees of encryption, for example, two-factor authentication for enhanced password protection.”
The Anthem’s data was not encrypted. A spokeswoman said the hackers bypassed security protocols that, “because an administrator’s credentials were compromised, additional encryption would not have thwarted the attack.”