Crisis Management

Target as Target

Risk experts grade Target's efforts to manage the reputation damage caused by the data breach.
By: | February 3, 2014 • 4 min read

After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.

However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.


In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.

Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.

“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.

Initial email (truncated) sent by Target on 12/19/2013. The original email included an additional 4 pages of information.

Initial email (truncated) sent by Target on 12/19/2013. The original email included an additional 4 pages of information.

Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.

“I would still say it’s so much better to get it right the first time,” he said.

2nd email to guests, 12/20/2013.

2nd email to guests, 12/20/2013.

Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.

Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.

In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”

A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:

Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”

Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.

“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.

Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.

Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.

“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.


As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.

But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.

“Those are the ones where the trust has really been lost,” Korschun said.

Joel Berg is a freelance writer and adjunct writing teacher based in York, Pa. He has covered business and regulatory issues. He can be reached at [email protected]
Share this article:

Risk Scenario


A social engineering cyber attack results in a massive loss of medical records, a reputational hit and a merger gone bad.
By: | October 20, 2015 • 7 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Engineer This

This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.


A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.

“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”

“I’m not authorized to give that out,” the national hospital system operator said.

“OK,” the hacker said and hung up before the operator could ask him why he was calling.

It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.

The hacker’s next call was to that office.

“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.

“Who may I say is calling please?” Duvall’s assistant said.



“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.

The ruse was working so far. The assistant got flustered.

“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.

“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.

“Give me the username and password now or face obstruction of justice charges!” the hacker said.

“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.

The flustered assistant then gave the phony FBI agent a super administrator password and username.

And SPOK was in the hen house.

Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.

At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.

Does your company have a two-factor authorization system in place to block unauthorized access to your IT system?

View Results

Loading ... Loading ...

Merging Blind

Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.


There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.

“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.

The good news for Reed was that it appeared his job was safe.

The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.

The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.

“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”

In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.


In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.

If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.

Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.

Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.

The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.

The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.

The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.

“The Atlas Health System network was breached back in July,” the examiner said.

“What?” was all Reed could say.

“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”

“You’ve got to be kidding me,” Reed said.

“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.

The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.

When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.

Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.

Does your company have a cyber-breach incident response plan?

View Results

Loading ... Loading ...

Pain. No Gain.

The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.


“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.

“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.

The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.

SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.

Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.

“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.

“Saw it,” was Reed’s only response.

A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.

The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.

Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.

Are you comfortable that you have adequate insurance policies in place to cover not only the notification expenses but the legal and crisis response expenses that would stem from a cyber breach?

View Results

Loading ... Loading ...


Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.

In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.

Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.

Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]
Share this article:

Sponsored Content by CorVel

Telehealth: The Wait is Over

Telehealth delivers access to the work comp industry.
By: | November 2, 2015 • 5 min read


From Early Intervention To Immediate Intervention

Reducing medical lag times and initiating early intervention are some of the cornerstones to a successful claims management program. A key element in refining those metrics is improving access to appropriate care.

Telehealth is the use of electronic communications to facilitate interaction between a patient and a physician. With today’s technology and mass presence of mobile devices, injured workers can be connected to providers instantaneously via virtual visits. Early intervention offers time and cost saving benefits, and emerging technology presents the capability for immediate intervention.

Telehealth creates an opportunity to reduce overall claim duration by putting an injured worker in touch with a doctor including a prescription or referral to physical therapy when needed. On demand, secure and cost efficient, telehealth offers significant benefits to both payors and patients.

The Doctor Will See You Now

Major healthcare players like Aetna and Blue Cross Blue Shield are adding telehealth as part of their program standards. This comes as no surprise as multiple studies have found a correlation between improved outcomes and patients taking responsibility for their treatment with communications outside of the doctor’s office. CorVel has launched the new technology within the workers’ compensation industry as part of their service offering.

“Telehealth is an exciting enhancement for the Workers’ Compensation industry and our program. By piloting this new technology with CorVel, we hope to impact our program by streamlining communication and facilitating injured worker care more efficiently,” said one of CorVel’s clients.

SponsoredContent_Corvel“We expect to add convenience for the injured worker while significantly reducing lag times from the injury to initiating treatment. The goal is to continue to merge the ecosystems of providers, injured workers and payors.”

— David Lupinsky, Vice President, Medical Review Services, CorVel Corporation

As with all new solutions, there are some questions about telehealth. Regarding privacy concerns, telehealth is held to the same standards of HIPAA and all similar rules and regulations regarding health information technology and patients’ personal information. Telehealth offers secure, one on one interactions between the doctor and the injured worker, maintaining patient confidentiality.

The integrity of the patient-physician relationship often fuels debates against technology in healthcare. Conversely, telehealth may facilitate the undivided attention patients seek. In office physicians’ actual facetime with patients is continually decreasing, citing an average of eight minutes per patient, according to a 2013 New York Times article. Telehealth may offer an alternative.

Virtual visits last about 10 to 15 minutes, offering more one on one time with physicians than a standard visit. Patients also can physically participate in the physician examination. When consulting with a telehealth physician, the patient can enter their vital signs like heart rate, blood pressure, and temperature and follow physical cues from the doctor to help determine the diagnosis. This gives patients an active role in their treatment.

Additionally, a 2010 BioMed Central Health Services Research Report is helping to dispel any questions regarding telehealth quality of care, stating “91% of health outcomes were as good or better via telehealth.”

Care: On Demand

By leveraging technology, claims professionals can enhance an already proactive claims model. Mobile phones and tablets provide access anywhere an injured worker may be and break previous barriers set by after hours injuries, incidents occurring in rural areas, or being out of a familiar place (i.e. employees in the transportation industry).

With telehealth, CorVel eliminates travel and wait times. The injured worker meets virtually with an in-network physician via his or her computer, smart phone or tablet device.

As most injuries reported in workers’ compensation are musculoskeletal injuries – soft tissue injuries that may not need escalation – the industry can benefit from telehealth since many times the initial physician visit ends with either a pharmacy or physical therapy script.

In CorVel’s model, because all communication is conducted electronically, the physician receives the patient’s information transmitted from the triage nurse via email and/or electronic data feeds. This saves time and eliminates the patient having to sit in a crowded waiting room trying to fill out a form with information they may not know.

Through electronic correspondence, the physician will also be alerted that the injured worker is a workers’ compensation patient with the goal of returning to work, helping to dictate treatment just as it would for an in office doctor.

In the scope of workers’ compensation, active participation in telehealth examinations, accompanied by convenience, is beneficial for payors. As the physician understands return to work goals, they can ensure follow up care like physical therapy is channeled within the network and can also help determine modified duty and other means to assist the patient to return to work quickly.


Convenience Costs Less

Today, convenience can often be synonymous with costly. While it may be believed that an on demand, physician’s visit would cost more than seeing your regular physician; perceptions can be deceiving. One of the goals of telehealth is to provide quality care with convenience and a fair cost.

Telehealth virtual visits cost on average 30% less than brick and mortar doctor’s office visits, according to California state fee schedule. In addition, “health plans and employers see telehealth as a significant cost savings since as many as 10% of virtual visits replace emergency room visits which cost hundreds, if not thousands, of dollars for relatively minor complaints” according to a study by American Well.

“Telehealth is an exciting enhancement for the Workers’ Compensation industry and our program. By piloting this new technology with CorVel, we hope to impact our program by streamlining communication and facilitating injured worker care more efficiently,” said one of CorVel’s clients.

Benefits For All

Substantial evidence supports that better outcomes are produced the sooner an injured worker seeks care. Layered into CorVel’s proactive claims and medical management model, telehealth can upgrade early intervention to immediate intervention and is crucial for program success.

“We expect to add convenience for the injured worker while significantly reducing lag times from the injury to initiating treatment,” said David Lupinsky, Vice President, Medical Review Services.

“The goal is to continue to merge the ecosystems of providers, injured workers and payors.”

With a people first philosophy and an emphasis on immediacy, CorVel’s telehealth services reduce lag time and connect patients to convenient, quality care. It’s a win-win.

This article was produced by CorVel Corporation and not the Risk & Insurance® editorial team.

CorVel is a national provider of risk management solutions for employers, third party administrators, insurance companies and government agencies seeking to control costs and promote positive outcomes.
Share this article: