Anthem may have just experienced the largest health care data breach in U.S. history, with potentially 80 million individuals at risk from this “very sophisticated external cyber-attack,” according to Anthem Chief Executive Joseph Swedish. There will be months of analysis, debate and proposed legislation as a result of the breach. However, there is a silver lining: Anthem’s quick and (from all present accounts) thorough response provides a worthy example for organizations of every stripe to follow.
Unlike previous major breaches, the public did not learn of this breach due to a third party informing Anthem it had been breached. According to the FBI, Anthem notified the agency “promptly,” and the FBI is currently investigating with Anthem’s full cooperation. Media received notice and broadcast news of the breach globally within minutes. Privacy and security professionals (including Taft) quickly sent out messages on how potential victims should protect themselves. Anthem quickly established it would provide credit monitoring services for those affected and would also set up a website to keep its customers informed of further developments.
Such quick and decisive actions in a crisis come from well-crafted and thoroughly tested plans. This situation provides businesses with an example of the impact of a solid breach response plan in action. With nearly one quarter of the U.S. population at risk, the news coverage today has been far less about Anthem than other events like net neutrality.
There will be other cybersecurity incidents. If your organization is next, do you have a tested plan for handling the investigation, including contacting authorities, managing media relations and communicating with customers and investors?