The nation's largest Blue Cross Blue Shield insurer has to find its way out of what may be the largest healthcare data breach ever, casting a dark cloud on the outlook for a prosperous, transformative year.
Anthem, the nation's second largest insurer, is notifying some 80 million past and present customers that their personal information may have been compromised in "very sophisticated external cyber attack," said CEO Joseph Swedish in an online letter to members.
While there is no evidence that credit card numbers or personal health information were exposed, the perpetrators have obtained customers' names, birthdays, health plan identification numbers, social security numbers, addresses, email addresses, employment information and income.
It's not clear how many were affected in the breach, but Indianapolis-based Anthem estimates that at least "tens of millions" were impacted. The company has 37 million current health plan members, insured through Blue Cross plans in 14 states, and has 32 million non-medical customers. It also apparently retained data on several million former members.
"Anthem's own associates' personal information -- including my own -- was accessed during this security breach," Swedish wrote. "We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.
Anthem employees discovered the attack, closed the vulnerability and notified the Federal Bureau of Investigations. Anthem is notifying current and former customers individually and offering them free credit monitoring and identity protection services.
The company also has retained the cybersecurity firm Mandian to evaluate its data and IT systems and "identify solutions based on the evolving landscape," Swedish said.
And who are the perpetrators? It could be individuals from the cottage industry of hackers who steal identifying information to sell to fraudsters on the black market, where a package of someone's social security number, mother's maiden name, credit card number and expiration date can sell for just $5.
"It is not clear how the bad guys got in, but this smells of a spear phishing attack by eastern European cyber mafia followed by data exfiltration, pretty much social engineering business as usual for them," said Stu Sjouwerman, CEO of KnowBe4, an online privacy company.
Whoever it was, Anthem now has to devote time and resources to cleaning up the mess, which might slow down the company's plans for making its products more consumer-focused, the California health data sharing initiative CalINDEX, and technology and business improvements related to a $500 million deal with IBM.
The for-profit insurer could also scare some investors. Anthem posted a net income of $2.6 billion for 2014, at $8.99 per share. In its January 28 earnings statement, Anthem forecast as much as $9.70 per share, or $2.8 billion, for 2015.
The costs of the data breach could be enough to eat into this year's earnings and into the future, if the insurer's reputation is harmed and exchange consumers and employers switch plans or don't choose Anthem to begin with.
As data security expert and Healthcare IT News managing editor Erin McCann noted, the attack on Anthem could be the largest healthcare data breach ever, depending on how many of the 80 million customers were impacted.
Healthcare is increasingly seen as a prime target for hacking, and health insurers may be especially vulnerable in the midst of IT modernization and digitization efforts.
So-called ethical hacker Kevin Johnson, the CEO of Secure Ideas, told McCann that the attack on Anthem may not be as "sophisticated" as the company believes. "I have never found an insurance company that required a sophisticated attacking incident. Period."
But Johnson have Anthem kudos for discovering the breach themselves, when some 60 percent of hacked organzations usually only learn of attacks via third parties. "For Anthem to say 'Hey, we saw something weird,' that is leaps and bounds ahead of most breaches. It's already ahead of Target."
Indeed, corporations in all industries are finding themselves at cyber risk.
The largest breach to date hit information services company Experian in 2013, when information on some 200 million individuals was exposed. That same year, a 145 million-person breach hit eBay and a year later records for 76 million J.P. Morgan Chase customers were exposed.
In healthcare, the largest breach hit the TRICARE program in 2011, when some 4.9 million military service personnel and their families had their personal information exposed. Second to that, last year hackers infiltrated Community Health Systems, the for-profit hospital chain, and obtained data on 4.5 million Americans.