Dive Brief:
- The hits just keep on coming for Anthem, with a new report speculating that the company's $100-million insurance policy against cyber attacks may not be enough to pay for efforts to mitigate the damage.
- InsuranceInsider.com cited anonymous sources with knowledge of Anthem's AIG cyber attack policy, quoting them as saying that the cost of contacting 80 million members to alert them of the hack alone could exhaust the policy's protection. Dan Nelson, an Armstrong Teasdale attorney who deals with trade secrets, contracts and securities, told the St. Louis Business Journal that "Anthem should expect to pay between $100 to $200 per breached record. With as many as 80 million people affected, that comes out to $8 billion to $16 billion."
- As previously reported, 80 million of their clients' personal information—including Social Security numbers and credit card numbers—were exposed through a recent cyber attack. Further reports have indicated that Anthem failed to encrypt the personal data in their systems, and that the breach was enabled through a simple password hack, made worse by their network's single-tiered access design.
Dive Insight:
This story begs the obvious, and nearly unanswerable question, of how much payers should really invest to insure against problems with data security. If the costs of a serious hack like this can't be covered by a $100-million insurance policy, then how much should Anthem—and its peers—be willing to pay for a better chance at mitigating the cost of hacks in the future?
Once Anthem and other payers have taken all appropriate steps to lock down data security far more securely, they will have to address how much data security insurance they should have. While it seems unlikely that any health insurer will cop the premiums for multi-billion dollar protection—despite the potential for losses in that ballpark—health payers will probably conclude that Anthem's $100 million in coverage was grossly inadequate. Still, a payer or two may have to be bankrupted by cyber security breach losses before it becomes customary to make bigger cyber security insurance investments.