News Feature | February 26, 2015

Anthem's Breach Woes Far From Over

Christine Kern

By Christine Kern, contributing writer

Small Healthcare Facilities Unprepared For Data Breach, Study Reveals

Breach costs could surpass insurance coverage, and potentially affected non-Anthem customers.

The reach of the recent Anthem data breach continues to expand. As Health IT Outcomes reported earlier, the sophisticated external cyberattack left account information of as many as 80 million customers vulnerable. In the wake of the breach announcement, a ripple effect swept through healthcare, raising concerns about the safety and security of personal information across the board as well as demands for legislation requiring encryption of all health records.

Now, Reuters is reporting 8.8 million to 18.8 million non-customers may be victims of the hack as well. Anthem participates in a national network of independently run Blue Cross Blue Shield plans that allow BCBS customers to receive in-network coverage in areas where BCBS is operated by a different carrier. Those BCBS customers are the ones who could potentially be at risk, since their records may be included in the database that was hacked, the company has said.

Anthem spokeswoman Kirstin Binns told Reuters that Anthem does not know exactly how many Anthem versus non-Anthem customers have been affected by the breach because of more than 14 million incomplete records in the database preventing the company from linking all members with their respective plans.

And as if that were not enough, Anthem says some tens of millions of customer records were not just accessed but stolen, and now Anthem has acknowledged in a new financial filing that its recent data breach involving 80 million people could result in “significant” expenses that its cybersecurity insurance policy may not fully cover. That disclosure was in the company's annual 10-K report filed with the Securities and Exchange Commission.

Anthem continues to assert the hacked data was restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses, and employment information such as income data.

 

The hack will be costly for Anthem for a number of reasons including the expense of providing two years of free credit-monitoring and identity theft protection services, fines and legal expenses stemming from lawsuits – more than 50 by the latest tally – and other investigative costs. In a less tangible way, the breach may harm company image and customer loyalty, though to date the response seems rather mild.


One other factor coming into play is how much of the expense will be offset by Anthem's cybersecurity insurance. Anthem spokeswoman Binns said in an email to  Modern Healthcare that the company was not able to comment beyond what was included in the filing. The December 2013 data breach at Target Corp cost an estimated $148 million in breach-related expenses, while Target's insurance policy covered only $38 million, according to Modern Healthcare.

 

According to the SEC filing, Anthem closed its fiscal 2014 with almost $2.2 billion of cash and cash equivalents on hand and total assets exceeding $62 billion.