Anthem Should Be Punished for Breach
Note that my comments are all focused on Anthem consumer data and not employee data. First, it is ridiculous that Anthem is storing social security numbers of consumers/insured. HIPAA has required a non SSN based identifier for almost 10 years now and SSN is not required for any other valid insurance business purpose. Add on top of this that the consumer/insured data was stored in an unencrypted format makes this pure negligence. Also note these are the same bozos that had their insurance applicant system hacked about 3 years ago. You'd think they would learn.
Until there is some consequence for companies, they will not change their behavior. And there is no real consequence for Anthem. They are in a fairly protected business with minimal customer turnover. What are people going to do....stop their insurance? And the complexity of corporate negotiation around benefits adminstration means few companes will take any action to change insurance adminstrators.
I am not a fan of big government, but this is one time I think the government should go after Anthem with both barrels, especially considering this is the second major incident in a relatively short period of time. Anthem should be forced to pay $10s of millions in fines to the government, punitive monetary damages to every insured, and criminal negligence charges should be filed for storing unneeded SSN data (in violation of HIPPA) in an unencrypted format.
This kind of signifianct penalty is the only thing that will cause companies to change the way they behave. Most companies like to make you think they care in their marketing and branding but in matter of fact their business processes say they don't care. It's time for the public to stop accepting this kind of corporate behavior.