Lessons to Learn from Anthem Data Breach

Hacking leads to Data Breaches. Often, this translates to be a costly affair.

Let us take a close look at Anthem data breach. Anthem, is the second largest health insurer in the US. Before doing a deep dive analysis let’s set the context as to what aspects need attention. As to “why“, the aim and scope is obvious.


  • What is the issue?
  • What’s the impact of the data breach?
  • When did the data breach occur?
  • When was it noticed, detected?
  • What immediate actions and steps were taken?
  • When were the consumers notified of the compromise, data breach?
  • What sequence of events lead to the data breach?
  • What is the Forensic report?
  • How was the incident reported to the authorities?
  • What was the incident response plan?
  • Who owned the response plan?
  • How the team(s) swung into action?
  • What actions were taken?
  • How was it communicated?
  • What PR measures were put in place?
  • What are the conclusions from the forensic reporting?
  • What actions were taken, after the conclusion of the report (report findings)?
  • As lesson learned – what new systems & procedures are in place to mitigate recurrence?

There is no doubt that Anthem had bad press. Fingers can point to show that Anthem could have done a better PR job. But, this is analyzing – after the fact. So, little use. Given the scenario that personal information was compromised is a sensitive issue and with down stream repercussions as a fall out. And that too, when 80 million customer accounts are at stake.

Anthem, the health insurance company database was hacked and it allowed hackers to gain access to 80 million customer accounts and their personal information. Most of the victims are current and former members of Anthem health plans, and even some nonmembers, since Anthem manages paperwork for some independent insurance companies. Millions of US residents had no idea that Anthem held their personal details. Now they know – the hard way.

According to Anthem – On January 29, 2015, Anthem, Inc. discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information ….”. It went on to say that – “The information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data. We have no reason to believe credit card or banking information was compromised.”

The impacted (plan/brands) included: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. Simply put it, all the customers from these entities are at risk.

Forensic reporting points out that – on December 10, 2014, someone compromised a database owned by Anthem Inc., and the compromise went undetected until January 27, 2015, after a database administrator discovered his credentials being used to run a questionable query – a query he didn’t initiate. Subsequently, two days after the detection, on January 29, Anthem alerted federal authorities and HITRIUST C3 that their internal investigation determined the incident was in fact a data breach. On February 4, 2015, the company disclosed the breach to the public.

A deeper analysis of the past history points to the fact that hackers made several unsuccessful attempts in hacking the database. Eventually, the hackers were successful and data breach occurred. Based on Anthem’s defenses, it’s possible that they attacker(s) tried to compromise the database earlier in 2014, but were thwarted. However, they kept at it and eventually succeeded. Hackers continued to take the shots until they hit. Anthem should have swung into action to put more proactive defenses. We don’t know what action or inaction went on, since those early incidents from 2010.

What is an irony is that in 2010, a data breach incident occurred wherein 612,000 customer accounts were compromised. That breach led to a $1.7 million settlement between Anthem and the U.S. Department of Health and Human Services, as the disclosure of health information was a possible violation of the federal HIPAA privacy statute.

Now, post data breach, Anthem, engaged Mandiant, world’s leading Cybersecurity firm – to assist not only in its investigation but also to strengthen the security of the systems. Too little help, to late!.

As part of the consumer redressal, Anthem is working with AllClear ID, a leading and trusted identity protection provider, to offer 24 months of identity theft repair and credit monitoring services to current or former members of an affected Anthem plan dating back to 2004.

Anthem Data Breach and Class Action Lawsuit:

Immediate to the fall out of the data breach incident was that a class action lawsuit was filed. And, within days additional lawsuits were filed in California and Alabama.

Lessons learned of Anthem Data breach:

A lesson to be learnt is that – despite the earlier hacking incident, Anthem failed to encrypt sensitive data; Had they put this in place, data would not have been totally comprised. At least, that’s one perspective.


There are some lessons to be learnt from the recent data breach incident. Remember, there is no one size fits all. That said, there can be a myriad of things that can be done to avoid potential data breaches. So, adopt a comprehensive strategy.

Here are some key takeaways – to mitigate and minimize risks.

  • Be responsive and transparent
  • Notify regulatory authorities, public as quickly as possible.
  • Conduct a Forensic report to assess what went wrong.
  • Another critical aspect that one need to be watchful is that – Attorney Generals in 47 states can ask for the data around the breach incident. So, keep relevant information handy, and provide consistent information, to avoid any potential legal fallouts.
  • Have a Incident Response Plan in place.
  • Test the incident response plan. Identify and plugin the gaps. This pro-active approach is less costly than reactive, which is very expensive.
  • Bring Legal, Public Relation on board along with IT
  • Monitor System Anomalies
  • Watch Network Admin Activity – use “identity-based threat detection models”
  • Use Encryption, Data Masking – otherwise, most of the personal information is easily readable
  • Give Customers Advice they can use

Biosimilar Drugs – What is it? and What’s Next?

The age of biosimilar drugs has arrived. Almost five years into the Patient Protection and Affordable Care Act, FDA approved the first biosimilar drug – Zarxio (Filgrastim-SNDZ) by Sandoz Inc. of Novartis. Zarxio is prescription drug, in injectable dosage form.

Zarxio, a biosimilar to Neupogen, is a medication that boosts the production of white blood cells and helps to ward off infection in patients receiving strong chemotherapy for some tumors, or patients undergoing bone marrow transplantation or patients with chronic neutropenia.


A biosimilar product is a biological product that is “highly similar” to an already-approved biological product (reference product) approved by FDA. The biosimilar must have the same strength and dosage form. From a consumer standpoint, with Biosimilars, more treatment options are available and also potentially lowering costs as well.

For more details, refer to this link.

Under the Patient Protection and Affordable Care Act (Affordable Care Act), signed into law by President Obama on March 23, 2010, lends way to create abbreviated licensure pathway for biological products that demonstrated to be “biosimilar” or “interchangeable” with an FDA-licensed biological product. This pathway is part of the law known as the Biologics Price Competition and Innovation Act (BPCI Act), under which a biological product that demonstrated to be “biosimilar”, that is, a product “highly similar” to an already-approved biological product.

What’s Next?

There is more in the offing. With amendments to Public Health Service Act (PHS Act), a new door has opened for launching more and more biosimilar or “interchangeable” drugs. Of course, each of these drugs would go through a rigorous process standards set by FDA for drug safety and efficacy.

In 2012, the rise of biologics reshaped the drug market. Now, with first biosimilar drug in the market, more biosimilar drugs are likely to follow in transforming the landscape that has mostly seen traditional drugs and biologics drugs till now.

Does the arrival of biosimilars sound trouble for biological drugs. The obvious answer is ‘yes’, but it would not be so hard as the generic versions coming into the market.

Supreme Court Rules for Teva in Copaxone Case

Teva Pharmaceutical Industries Ltd., won a U.S. Supreme Court patent ruling that will help forestall generic competition to its top-selling multiple-sclerosis drug, Copaxone. The judges gave a reprieve to a Teva patent that will protect Copaxone from generics competition until September.


The ruling is a blow to Teva’s generic competitors – Mylan Inc., and petitioner Sandoz. When Sandoz, earlier tried to market generic version of the drug, Teva sued for patent infringement. Sandoz countered the patent and sought invalidation of the patent.

It is interested to note this case draws attention to two facts. 1) The District Court earlier had to consider conflicting expert evidence, with respect to patent claims. The court, after review concluded that patent claim was sufficiently definite and patent was thus valid.
2) What is the prognosis in contesting the molecular weight method of the active ingredient for seeking invalidation of the patent?

So, for now, generic versions will be off by few months, bringing some relief to Teva.

Most Innovative Companies & Inventions of 2014

Forbes, Time, Businessweek, The Scientist, Popular Science – all these magazines have listed the most innovative companies of 2014 and Greatest Innovations or Most Disruptive Innovations of 2014. See the enclosed lists:


Microsoft settles Skype service related patent infringement

Microsoft made agreement to pay VirnetX Holdings Corp. $23 million and settle patent claims over secure communication networks related to Skype service which allows instant messaging and internet calling. The agreement came after U.S. District Judge Leonard Davis in Texas, issued order giving definitions to key terms in VirnetX patents.


In yet another pending case, between VirnetX and Apple Inc. relating to VPN on Demand and FaceTime features, Virnet is waiting for proceedings from Texas court.

Is Qualcomm Losing edge in Mobile Phone Communication Technologies?

The key question in mobile phone communication Technologies is – Qualcomm, with its patent portfolio, maintained its dominant position in CDMA/WCDMA (3G) technologies. Will it maintain its lead in 4G-LTE Technology too?. Let’s get a perspective by reviewing the landscape.

Qualcomm develops and patents mobile phone communication technologies, such as CDMA/WCDMA (3G technology) and OFDMA (LTE/WiMax technologies), which it then licenses to tablet and mobile phone manufacturers. These mobile phone manufacturers make phones that utilize Qualcomm’s technologies and operate on networks based on these technologies. Qualcomm charges royalties on each handset sold based on its technology in addition to one-time licensing fees from handset vendors. Apple, Samsung, Nokia and LG are some of its key customers.


With well over 250 licensees, Qualcomm’s CDMA patent portfolio is the most widely and extensively licensed portfolio in the 3G space today. In past, Qualcomm has been in a tiff with entities like Nokia and India’s Reliance over high royalty rates that it charged. However, over time, the average royalty rate that Qualcomm charges mobile handset vendors has declined considerably, as the average selling price of CDMA mobile phones continue to decline and with carriers transitioning to high-speed 4G networks. And the bad news is that Qualcomm does not have a strong position in this segment.

Due to the lack of same dominant IP portfolio in 4G technologies like LTE, Qualcomm might not be able to achieve the same royalty revenues on OFDMA-based LTE technology, as it enjoyed in CDMA-based technologies. As the industry continues to transition from the 3G to 4G technology, Qualcomm’s average royalty rate is coming under pressure, impacting the bottom-line.

It is anticipated that the gradual shift from 2G to 3G/4G will increase the global penetration of mobile devices from the current 50% to 65% in 2016. And, couple of years thereafter, with adoption of 3G/4G technologies increasing to as much as 80% will constrict CDMA technologies market further.

Core Responsibilities of Chief Innovation Officers in Enterprises

Chief Innovation Officers are critical for Enterprises to Innovate & Thrive. That said, what are the critical items they need to address and set things in place for enterprise to innovate and succeed. Following are the critical items to consider:

Must scout for new ways to manage and innovations so as to ensure Enterprises optimize their investments in Research and Development.

Think Big, Start Incrementally – Google is a great example in this category. They incrementally spawned into several new categories systematically with a game plan and achieved the goals.
Strive for Continuous Innovation NOT Perfection – Nothing can be emphasized more than this. It should not be quest or obsession for perfection but providing incremental innovation (less risky) and solve specific business issue(s).
Ignite thoughts, ideas – Encourage employees, supplement ideas with factual data. Provide Management support and allocate resources.
Introduce the culture of Open Innovation – where in employees, partners collaborate in ensuing innovation keep flowing.
Form bridge between Business, Technical and Legal Function – Must be a inclusive person working closely with all key stakeholders and constituents to foster innovation & growth.
Get new products and services to Market – Support business units in translating the captured ideas into new products, (New Products Initiative – NPI) & Services into Market.
Facilitate environment for idea generation – Capture information from all business units.
Capture all ideas and invention disclosures – Create centralized repository for all innovation disclosures.
Help Identify New Market Spaces – Facilitate application of incremental innovation to solve customer issues and help drive up customer commitment.


Enterprises succeed or fail based on either or combination of these factors. So, the next time you look into your Enterprise – make sure all of these are place or being addressed. A must do thing is to align Business, Technical & Legal Functions, ensure that they are well integrated, and that there is a fail safe mechanism to collaborate, manage and make organizations foster innovations, growth & thrive.

For more information, download the eBook – Managing Innovations for Profitable Growth