The costs associated with Anthem’s recent data breach are continuing to spiral. ZDNet recently reported that the insurance giant’s $100 million cyber-insurance policy is likely to be exhausted soon due to the sky-high cost of notifying 80 million current and former members and employees dating back to 2004.
Data Breaches can get ugly
Anthem also has to consider the incalculable expense of providing identity theft repair and credit monitoring for all those people. So far, ten state attorneys general have complained that Anthem isn’t moving fast enough in its notification efforts. Anthem members across the U.S. are already getting calls from scammers posing as “investigators.”
Meanwhile, questions abound about whether the breach was truly “sophisticated” or not. The hackers had the skills to penetrate several Anthem security layers, but they were able to then access the vast database using a stolen password. Numerous reports suggest that Anthem had not encrypted the Social Security numbers found in that database.
The breadth of what got stolen far exceeds what was lost in Community Health Systems’ 2014 breach:
About 16 times more individuals were involved – and dates of birth, physical and email addresses, and Social Security numbers were taken. To add insult to injury, Anthem CEO Joseph Swedish had his personal information stolen, too.
Mr. Swedish has personally apologized to the 80 million folks who’ve been victimized, but the reputational damage is likely to be lasting. After all, 80 million roughly equals the combined populations of California, New York, Illinois and Maryland.
Here’s even more sobering news: nationwide only about 6 percent of healthcare data breaches are due to hackers. The other 94 percent are the result of simple human errors by employees and business associates: losing laptops with unencrypted data, using insecure wi-fi hotspots, etc.
The Anthem breach is more than a wake-up call.
It’s a bugle playing at 110 decibels in the board rooms of every health insurance company in the nation. Now is the time for every insurer to double-down on its information risk management efforts, which need to go much further than IT safeguards.
Clearwater’s new Information Risk Management Capability Advancement Model (IRMCAM) lets your organization measure how it really stacks up against key benchmarks. You may think that your information risk management program is mature and impregnable. Unfortunately, so did Anthem.
Click here to access your copy and learn more about maturing your own information risk management process.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.