INDIANAPOLIS: Health insurer Anthem is proactively reaching out to members to specifically explain that there is no evidence credit card or medical information was targeted or compromised as part of the data breach it discovered last week.
Ketchum, Anthem’s AOR, is providing the health insurance giant with subject matter experts and advising the company on best practices, said Kristin Binns, VP of PR at the insurer.
"Our main priority is to be clear about the information we have assessed that has not been included in this breach, such as medical, banking, and credit card information," Binns explained. "We want to make this clear to our customers, so we start eliminating initial concerns as best we can."
Attackers did, however, gain unauthorized access to Anthem’s IT system and obtained personal information from current and former customers, such as their names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, and employment information. They may have also stolen income data, Anthem president and CEO Joseph Swedish confirmed in an open letter posted on the company’s website.
After a string of cyberattacks against major companies in the US and globally in recent years, Binns said customers expect organizations to communicate about breaches as soon as possible and transparently.
"We were very cognizant about being expeditious with our response," she said, noting that her team executed a notification plan within a week of becoming aware of the attack. "But the challenge with this was making sure we had enough information to ensure what we were putting out there was accurate."
Once the attack was discovered, Anthem "immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating with their investigation," Swedish said in his letter. It also retained cybersecurity firm Mandiant to evaluate Anthem’s systems and identify solutions, Swedish added.
Anthem also launched a microsite, which customers could access via a link from the company’s homepage, that includes an FAQ list and Swedish’s letter. It also emailed the memo directly to customers who opted to receive information from the company, Binns said.
The insurer also shared the open letter on Anthem’s social media channels on Facebook and Twitter.
1/ Anthem was the victim of a cyber attack. No evidence medical or credit card information was compromised. More at http://t.co/ilKRmawhM6— Anthem, Inc. (@AnthemInc) February 5, 2015
Although Anthem established the microsite to eliminate customers’ need to call the company by providing them with information they might want, it also set up a hotline for anyone with questions or concerns.
Anthem’s comms team has also reached out to technology and healthcare reporters, Binns said.
Because the personal information of Anthem staffers was also included in the breached data set, Binns noted that the comms team is offering insight about what the organization will do to protect its own employees. The company shared a different open letter to staffers from Swedish across its offices on Wednesday night.
"Anthem’s own associates’ personal information – including my own – was accessed during this security breach," Swedish said in his letter. "We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."
The breach follows the high-profile cyberattack on Sony Pictures Entertainment last year, for which authorities have blamed North Korean hackers. That incident was connected to the studio’s film The Interview, which comically depicted the assassination of dictator Kim Jong Un.
Retailers are also among the best-known victims of cyberattacks. Target publicly acknowledged that the credit and debit-card data of 40 million customers was exposed, as was a second batch with the personal information of 70 million people, during the 2013 holiday season.
Burson-Marsteller helped Target respond to the data breach.