Login Register Subscribe
Current Issue

Anthem data breach will raise scrutiny of health organizations' cyber risks

Reprints

Underwriters are expected to intensify their scrutiny of cyber risks within health care organizations as a result of the massive data breach affecting Anthem Inc., but competition and capacity could limit premium increases.

The reaction of American International Group Inc., whose Lexington Insurance Co. is the primary cyber insurer for Indianapolis-based Anthem, is expected to set the pricing tone for the insurance market, experts say.

“If AIG makes a move to increase rates or tighten underwriting scrutiny considerably, that will, I think, have a ripple effect across the market,'' said Ben Beeson, Washington-based partner, global technology and privacy practice, at insurance brokerage Lockton Cos. L.L.C. “If they don't, then it will take longer for that to happen.”

Anthem CEO Joseph R. Swedish said in his Feb. 4 announcement that the “very sophisticated external cyber attack” involved the theft of names, birth dates, medical identification and Social Security numbers, street and email addresses, employment information and certain income data. The attack affected about 80 million customers and employees.

There is a question as to whether Anthem “did what they needed to do” in encrypting the personally identifiable data, said Scott L. Vernick, a partner at law firm Fox Rothschild L.L.P. in Philadelphia. According to media reports, Anthem encrypted its data when it was in transit but not sitting on its servers, which is where the attack occurred, and U.S. investigators suspect state-sponsored Chinese hackers are linked to the hack.

Despite federal laws such as the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and numerous state laws relating to data breach notification requirements, experts say the health care industry has lagged in spending on technology.

The health care sector “has not been as aggressive as other industries,” including banking and airlines, that “have had more at their disposal to invest in the technical infrastructure,” said Katherine Keefe, Philadelphia-based global head of Beazley P.L.C.'s breach response team.

However, Anthem experienced “a very sophisticated attack and in the best of times it's very difficult for companies to stay ahead of the curve,” said Charles A. Cowan, London-based counsel at Drinker Biddle & Reath L.L.P.

Fallout from the devastating cyber attack in the health care industry was swift.

Several lawsuits naming Anthem, the nation's second-biggest health insurer, as a defendant and seeking class certification already have been filed. Among them is Susan Morris et al. v. Anthem Inc. et al., a suit filed in Santa Ana, California, federal court accusing the health insurer of unfair business practices, breach of covenant of good faith and fair dealing, and other charges. Ms. Morris' attorney, Aashish Y. Desai of Costa Mesa, California-based Desai Law firm P.C., said he expects the litigation to be consolidated in one jurisdiction, which is usual in comparable national litigation.

In addition, the National Association of Insurance Commissioners called for a multistate examination of Anthem and its affiliates, and several state attorneys general and regulators started investigations into the breach.

There also is the question of whether self-insured employers working with Anthem may have to assume some costs resulting from the breach, experts say.

Self-insured employers working with Anthem, which sells Blue Cross Blue Shield health care plans, should examine the policy language of their business associates' contracts to determine whether they are obligated to provide notice of the breach to their employees, said Danielle Vanderzanden, a shareholder at Ogletree, Deakins, Nash, Smoak & Stewart P.C. in Boston.

If the contracts includes the obligation, the employers should either provide the notice “or work with Anthem” to amend the provision, she said.

Robert J. Dubraski, president and CEO of health insurance broker Dubraski & Associates Insurance Services L.L.C. in San Diego, said underwriters in general will scrutinize cyber risks more closely, but he also hopes health care companies will now take this risk more seriously.

“We have always felt like (cyber) was one of the most underinsured risks in health care today,” Mr. Dubraski said.

As Anthem's primary cyber insurer, AIG's Lexington Insurance unit provides $10 million in coverage above a $10 million self-retention, insurance market sources say.

Several excess insurers also are on the risk; Anthem's estimated total cyber coverage of $150 million to $200 million is expected to be exhausted as a result of the breach, sources say.

Barring no more major cyber breaches in the health care industry, some experts do not anticipate higher cyber insurance rates for the sector. “Cyber insurers understand that there's a risk of a large event in their space. It's built into their pricing, and they understand that when they take the risk,” said Thomas Reagan, New York-based cyber practice leader at Marsh L.L.C. Concerns they may have are “somewhat offset by their desire to sell more cyber insurance.”

Although there are no indications that the stolen Anthem data has been sold, experts say the data would be far more valuable on the black market than credit-card information because it cannot be canceled or changed.

The Anthem data can fetch as much as $20 per record in the black market vs. $1 for credit-card data, said Craig Musgrave, senior vice president and chief information officer at Napa, California-based medical malpractice insurer The Doctors Co.