The attack on Anthem, a Blue Cross and Blue Shield affiliate with plans in 14 states, dwarfs the previous largest healthcare breach attributed to hackers. That came last year when Community Health Systems disclosed that Chinese hackers stole information belonging to 4.5 million patients in its physician practices.
Chris Rigg, an analyst with Susquehanna Financial Group, called Anthem's incident “unfortunate but manageable.” J.P. Morgan Securities Analyst Justin Lake said in a note to investors that the data breach is not expected to hurt the company's lofty profit projections for 2015. Anthem previously said earnings per share this year will be at least $9.30.
An Anthem spokeswoman said the company does not expect a “material” financial impact from the breach. Anthem has a cybersecurity insurance policy, which should absorb the administrative costs of providing promised free credit-monitoring services and identity-theft protection to affected members.
Even so, the total cost of Anthem's breach likely will be significant. When retailer Target Corp. suffered a data breach affecting 70 million customers last year, it reported spending $148 million in a single quarter to cover legal fees, forensics and other expenses. That was only partly offset with a $38 million payout from its insurance policy.
Cybersecurity insurance has become common in healthcare, particularly for insurers. Larger companies can purchase cybersecurity coverage in excess of $100 million, and in some cases, up to $300 million, said Evan Fenaroli, a cyberproduct manager at Philadelphia Insurance Companies, which sells policies to small physician practices and regional health systems. Fenaroli's average healthcare client has a $1 million policy, with annual premiums ranging from $5,000 to $10,000.
The most costly consequence of a data breach is the long-term damage to customer loyalty, according to a study conducted last year by privacy consulting firm Ponemon Institute. Healthcare companies see high consumer turnover when their security is compromised, the group said.
Anthem seems aware of that risk. “We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem,” CEO Joseph Swedish wrote to members. Anthem hired cybersecurity firm Mandiant to evaluate its IT systems.
At least three class-action lawsuits—one in Alabama, California and Indiana—were filed against Anthem immediately following news of the breach. HHS' Office of Inspector General also is stepping in to see how the hack affected Anthem's 6.6 million Medicare and Medicaid beneficiaries.
Little is known about how much health insurers spend on data security. At Arches Health Plan, a new not-for-profit Utah insurer, at least 20% of its IT budget goes toward data security, making up about 4% of the company's overall spending, said Arches Chief Information Officer Eric Sorenson.
Data security is easier for startups such as Arches because its IT system is a blank slate, while established players such as Anthem may have to deal with multiple legacy systems, said Ferris Taylor, Arches' chief strategy officer. “It's hard to add security into systems if you don't start with security,” he said.