But even though Anthem’s data breach has far-reaching ramifications for its members, the insurer and Wall Street analysts are shrugging off the potential financial and reputational damage to the company.
Anthem, the second-largest U.S. insurer by revenue, disclosed last week that the Social Security numbers, income data, birthdays, e-mails, street addresses and other personal data of up to 80 million of its current and former members have been exposed in a "very sophisticated external attack" that may have occurred in December. Medical records and credit card information were not targeted, the Indianapolis-based company said.
The Health Information Trust Alliance (HITrust), which is working with Anthem to find the attack’s source, said Anthem was the sole target. But other large health insurers have raised their information technology surveillance following the hack. Stolen personal data from insurers and other healthcare organizations can be used to make false insurance claims, among other risks.
Health Care Service Corp., the parent of five state Blue Cross and Blue Shield plans, said it is "working hard with Anthem to determine whether any of our customers or employees were affected by this event." UnitedHealth Group said it is in close contact with HITrust and is "monitoring our systems and the situation closely."
The most costly consequence could be long-term damage to Anthem’s customer loyalty, a risk the insurer seems to recognize.
MH Takeaways
Chris Rigg, an analyst with Susquehanna Financial Group, called Anthem’s incident "unfortunate but manageable." J.P. Morgan Securities Analyst Justin Lake said in a note to investors that the data breach is not expected to hurt the company’s lofty profit projections for 2015. Anthem previously said earnings per share this year will be at least $ 9.30.
An Anthem spokeswoman said the company does not expect a "material" financial impact from the breach. Anthem has a cybersecurity insurance policy, which should absorb the administrative costs of providing promised free credit-monitoring services and identity-theft protection to affected members.
Even so, the total cost of Anthem’s breach likely will be significant. When retailer Target Corp. suffered a data breach affecting 70 million customers last year, it reported spending $ 148 million in a single quarter to cover legal fees, forensics and other expenses. That was only partly offset with a $ 38 million payout from its insurance policy.
Cybersecurity insurance has become common in healthcare, particularly for insurers. Larger companies can purchase cybersecurity coverage in excess of $ 100 million, and in some cases, up to $ 300 million, said Evan Fenaroli, a cyberproduct manager at Philadelphia Insurance Companies, which sells policies to small physician practices and regional health systems. Fenaroli’s average healthcare client has a $ 1 million policy, with annual premiums ranging from $ 5,000 to $ 10,000.
The most costly consequence of a data breach is the long-term damage to customer loyalty, according to a study conducted last year by privacy consulting firm Ponemon Institute. Healthcare companies see high consumer turnover when their security is compromised, the group said.
Anthem seems aware of that risk. "We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem," CEO Joseph Swedish wrote to members. Anthem hired cybersecurity firm Mandiant to evaluate its IT systems.
At least three class-action lawsuits—one in Alabama, California and Indiana—were filed against Anthem immediately following news of the breach. HHS’ Office of Inspector General also is stepping in to see how the hack affected Anthem’s 6.6 million Medicare and Medicaid beneficiaries.
Little is known about how much health insurers spend on data security. At Arches Health Plan, a new not-for-profit Utah insurer, at least 20% of its IT budget goes toward data security, making up about 4% of the company’s overall spending, said Arches Chief Information Officer Eric Sorenson.
Data security is easier for startups such as Arches because its IT system is a blank slate, while established players such as Anthem may have to deal with multiple legacy systems, said Ferris Taylor, Arches’ chief strategy officer. "It’s hard to add security into systems if you don’t start with security," he said.
No comments:
Post a Comment