7 PR Lessons From the Largest Healthcare Data Breach in History

BY ANNA KEEVE, senior pr specialist, eset north america
Anna Keeve, Senior PR Specialist, ESET North America

Eighty million. That’s the number of people whose social security numbers, addresses, medical ID numbers and other personal information ended up in the hands of cyber criminals as a result of a cyber-attack in February 2015 on Anthem, the second-largest health insurer in the U.S.

With so many patient records compromised, the hack remains the largest healthcare data breach to date. [Editor's Note: PRN staff added the following material in parentheses. It does not necessarily reflect the author's viewpoint or that of ESET North America.] (Unfortunately, more mayhem aimed at healthcare data seems likely. James Scott, a senior fellow and co-founder of the Chicago-based Institute for Critical Infrastructure Technology, a cybersecurity think tank, told the San Francisco Business Times’ Chris Rauber late last month that healthcare is the country’s top target for hackers. Rauber was reporting about the loss of six hard drives containing data on nearly 1 million enrollees at Centene, a health insurer based in St. Louis. Scott said confidential health care data sells for $10 to $50 per record. By contrast, hacked credit card data often fetches just $1 per record.)

At the end of 2015, the public was reminded of the significance of the Anthem case as media outlets recapped the largest data breaches in their year-end reporting. Anthem not only topped the ignominious list of largest healthcare hacks, it also was the biggest breach in any sector last year, ahead of the federal government’s Office of Personal Management (18-21.5 million records compromised) and Ashley Madison (37 million people affected), to name a few.

Cyber-attacks like these place organizations in the spotlight. They are scrutinized on every move they make. Media and consumers judge them on how quickly they reveal a breach and how forthcoming they are about their cybersecurity practices. As we know, poor crisis communication can be devastating to a company’s customer and shareholder relationships, brand perception and, ultimately, bottom line.

Now, almost a year since the attack on Anthem, a more comprehensive analysis can be made of the company’s crisis response. While we can learn valuable PR positives from its crisis communications approach following a cyber-attack, we can also learn some things to avoid. A number of the lessons apply to cyber-attacks only, though the majority are relevant to crisis PR generally.

1. Time Is Critical: Anthem’s breach was detected on Jan. 27, 2015. The company came out publicly Feb. 4, equipped with an arsenal of resources. It’s been credited for coming out early and being well prepared, which enhanced transparency and trust. To put this in perspective, the Target hack broke from an outside source Dec. 13, 2013, but it took the retailer five days to follow with an announcement and weeks to send notices to its customers. When 4.6 million Snapchat accounts were compromised in late 2013, the company waited months before making it public, causing outrage from users.

Often companies decide to forego disclosing a data breach for weeks or even months before announcing it publicly. A company executive’s first instinct may be to avoid disclosing anything until he or she has all the answers. When dealing with breached data that has been stolen from your customers, however, a company needs to come out within days of the discovery and communicate what it knows. No one expects the company to have all the answers right away. As long as the spokesperson explains that the company is working with authorities to figure it out, customers and the public at large generally will be more accepting.

While there are laws that require companies to disclose a breach, timelines are vague and state disclosures must occur in a reasonable amount of time. Disclosure also is dependent on what types of data are exposed. Medical information has many regulations attached to it under the Health Insurance Portability and Accountability Act of 1996, known as HIPAA. General information is unlikely to be as highly regulated. While brands must meet their legal obligations, they also should consider their moral obligation; they need to be forthright and timely with what they know.

2. Disseminate Easy-to-Understand Information: Anthem nailed one thing: The resources it offered customers upon announcing the breach. It launched a dedicated microsite, anthemfacts.com, as well as a hotline that current and former customers could call to obtain information. Anthem’s FAQ page also had additional details.

What is more, the information was easy to read and understand. Content like this—really, any content—is useless if people have to sift through five pages before getting to the salient points and understanding what it means to them and what they need to do. Also, the last thing people want when trying to get information is a rude or uninformed customer service representative. When Target was hacked the company received a lot of criticism for customer service call wait times being too long, a banner on its website that could hardly be seen and written communication that was too complex to understand.

Ask yourself these five questions about your communication: Is it empathetic? Helpful? Clear? Resourceful? Honest?

3. Be Careful With Post-Breach Communications: What happens when cyber-criminals hear that a company had 80 million customer records stolen? They find a way to steal more information. As if Anthem’s situation was not bad enough, scams using phishing and social engineering started to surface shortly after the breach. Before Anthem had even announced the corrective measures it was going to take, people were blasted with emails that looked like they originated from Anthem. These were phishing emails that were attempting to get recipients to click for credit monitoring services. Once recipients completed the instructed action a virus or malware was downloaded on their computers. That took them to a site that asked for personal information or credit card numbers. Unfortunately, it takes just one click for cyber thieves to get what they’re seeking.

Anthem then had to issue a statement and press release warning the public about these scams. The communication urged people receiving the bogus email to avoid clicking on links or following any of the instructions given.

This is why it is necessary to be extremely cautious with post-breach communication. All actions taken must take into consideration what the opposition is capable of doing.

4. Adequate Compensation: After a breach it’s critical to offer compensation and follow through. While companies can’t buy back a consumer’s brand loyalty, they can invest in measures to soften the blow. Providing free credit monitoring has become a standard offering following a breach. As such, this is wise to do at a minimum. The reality, though, is that the damage is done once the data is gone. As consumers become less patient and empathetic, credit monitoring may not be enough. Think about something else you can do or offer depending on the severity of what happened.

But be careful about asking consumers for something in exchange for a goodwill offering. Recall when Volkswagen offered consumers $500 as goodwill for its vehicles that had emissions-cheating software? Backlash ensued, as recipients were required to sign a lengthy Goodwill Package Cardholder Agreement that legal experts described as confusing. Worse, some legal authorities believe the Agreement potentially could cost consumers their legal rights.

Anthem offered credit-monitoring services for two years through AllClear ID, but after announcing the hack, the company failed to provide an explanation as to how to access these offered protections, causing some backlash from customers and elected officials.

5. A Sincere Apology: As PR pros we all know this is basic, but it’s often difficult for companies to do, especially when they feel they took proper actions to protect customer data. Brands need to understand that by apologizing they are not admitting guilt or negligence—they are simply showing empathy and sincerity. In Anthem’s case, CEO Joseph Swedish offered an apology on the homepage of its Anthem Facts microsite:

“I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem.”

6. Avoid the Word “Sophisticated” Unless the Attack Was Sophisticated: Companies often use the word “sophisticated” in describing the breach, often to protect themselves from the perception of liability. Even though this might be the post-breach lingo norm, attacks often are unsophisticated and companies should not falsely lead the public into thinking otherwise. In Anthem’s case, while it said a “sophisticated attack” occurred, any cyber expert can tell you that it was not. Eventually it was made public that Anthem failed to encrypt the massive amounts of data it held, which potentially could have thwarted the attack. Encryption is a common cyber technology that scrambles data, preventing unauthorized users from decoding it.

7. Despite a Sharp Decline in Reputation and Revenue, Recovery Is Possible: A poorly handled public response to a cyber-attack can cause irrevocable damage. We live in a strange world, however. As events that once were considered unthinkable become more frequent, the public is becoming more desensitized to them. An optimistic viewpoint is that people are confident that law and order eventually will emerge victorious over cyber terrorists.

For example, the Target breach in Q4 2013 earned the company a record-low customer-perception score and cost it about $17 million. Yet its financials rebounded, ending the next quarter at pre-hack levels.

Still, despite breaches becoming more common, don’t expect consumers to be lulled into total complacency. Breached organizations still must work to earn back trust, proving they are providing additional security to protect customer data. In addition, dedicating inadequate resources to rectify the situation can have disastrous results. Companies likely will face an even greater PR storm, along with lawsuits. The mantra in the public eye remains “guilty until proven prudent.”

In sum, companies can bounce back, but generally not without intense media scrutiny and customer dissatisfaction, especially if a brand is perceived as lacking empathy and transparency.

CONTACT: Anna.Keeve@eset.com

This article originally appeared in the February 2, 2016 issue of PR News. Read more subscriber-only content by becoming a PR News subscriber today.