Insurer Anthem Tuesday acknowledged in a new financial filing that its recent data breach involving 80 million people could result in “significant” expenses that its cybersecurity insurance policy may not fully cover.
Some observers were quick to note the disclosure was likely done as a defensive measure by Anthem, trying to alert investors to any and all possible outcomes from the breach to preclude future lawsuits for failing to disclose key financial information. The disclosure was in the company's .
But it did confirm that Anthem's eventual total costs related to the cyberattack, disclosed earlier this month, are unknown and unpredictable. The fallout also may not be as muted as many have predicted.
The data breach exposed personal information, such as Social Security numbers and income data, of both Anthem and affiliated Blue Cross and Blue Shield members. But credit card and medical information was supposedly not compromised, which would be a much more problematic issue.
Costs from the hack will arise in many areas. Anthem is providing two years of free credit-monitoring and identity theft protection services, compared with the typical one year. Fines and legal expenses stemming from lawsuits, more than 50 by the latest tally, also will run up the tab, as will other peripheral costs related to several ongoing investigations.
Longer term, customer loyalty may be damaged, though early reports show consumers are taking a blasé attitude toward the size and severity of the breach.
It's unclear what or how much Anthem's cybersecurity insurance covers. Anthem spokeswoman Kristin Binns said in an e-mail the company was not able to comment beyond what was included in the filing.
Retailer Target Corp. suffered a similarly sized data breach in December 2013 and recorded . Target's insurance policy covered only $38 million.
Anthem closed its fiscal 2014 with almost $2.2 billion of cash and cash equivalents on hand, the SEC filing showed. Anthem's total assets exceeded $62 billion.
Follow Bob Herman on Twitter: