Anthem is on the cusp of having to make the biggest payout in U.S. history for a data breach. The $115 million proposed settlement reflects just how valuable patient records and personal information have become.
"There've been bigger breaches, such as Target, but this one is unique because of the types of the records taken," said Daniel Marvin, a partner with law firm Morrison Mahoney who specializes in data security and cyber-insurance topics. Almost 80 million records were exposed in the 2015 breach, revealing names, birth dates, Social Security numbers and other information. "The critical and valuable information that most lends itself to identity theft is the type of information that was taken," he explained. "That's one of the reasons we're seeing such a large number in terms of the settlement amount."
Target and Home Depot, two companies that suffered well-documented data breaches of their own during the past couple of years, each paid less than a fifth of what Anthem is expected to dole out to settle their claims. The Anthem settlement must still be approved by the U.S. District Court in California.
"When comparing the Anthem number to other large retail breaches, keep in mind that in most of those retail breaches it was just credit card information," said Kenneth Dort, a partner at Drinker Biddle & Reath, a law firm whose clients include Anthem, but was not involved in this settlement. "There isn't a high level of identity fraud, whereas with Anthem, you've got a pretty good foundation for potential identity theft."
Still, the Anthem settlement may not capture all the company's total exposure related to the breach, Marvin said. There's the initial forensic analysis, notification of the people whose information was breached, and possible reputational damage.
Healthcare companies should take notice.
"It's not just insurers," said David Holtzman, vice president of compliance strategies for CynergisTek and a former senior adviser to HHS' Office for Civil Rights. "It's vital that everyone, from the smallest physicians office to the largest health insurer, have some cyber-awareness in place and take appropriate measures to understand what the risk is."
He pointed to the fact that the Anthem breach happened because an employee opened a phishing email and that it took almost an entire year for Anthem to notice anything was awry. "The big takeaway from this breach," Holtzman said, "is you have to have technologies in place that allow for audit and review, for monitoring system activity."