Anthem’s Massive Cyber Attack Underscores Healthcare Data Vulnerabilities
The nation’s second-largest health insurance company, Anthem Inc., announced last week that a cyber breach that occurred in January affected 80 million individuals – both employees and customers. The hackers obtained the names, birthdays, street addresses, email addresses, employment information and social security numbers of these individuals, although to date there is no indication that they accessed any credit card or medical information.
Once the attack was discovered, Anthem released a memo to all employees indicating that they are working with the FBI to investigate the source and extent of the breach. The healthcare giant is also working with a cyber security firm to provide incident response and security assessment services.
Since the data breach has been publicized the fact that the records were not encrypted has come under scrutiny. In fact, when contacted by the Wall Street Journal about the unencrypted data, an Anthem spokesperson indicated that like other health insurers, it only encrypts customer data when it’s transferred in or out of its database, but uses “other measures, including elevated user credentials, to limit access to the data when it is residing in a database.” She also added that the government and employers require insurers to use social security numbers as unique identifiers for their customers.
Under the Health Insurance Portability and Accountability Act, or HIPAA, health insurers must “address” data encryption in their security protocol, but it’s not mandated. For some companies, it comes down to a choice between added security and extra cost, though it’s not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials.
This lack of a clear encryption standard undermines public confidence, some experts say, even as the government moves ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers. “We need a whole new look at HIPAA,” said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information. Any identifying information relevant to a patient … should be encrypted,” said Kibbe. It should make no difference, he says, whether that information is being transmitted on the Internet or sitting in a company database, as was the case with Anthem.
In fact, on the heels of the Anthem attack, the Senate Health, Education, Labor and Pensions committee stated it’s planning to examine encryption requirements as part of a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said Jim Jeffries, spokesman for chairman Lamar Alexander (R-Tennessee).
This latest attack against Anthem reinforces the need for robust cyber security measures as well as strong cyber liability insurance for medical facilities. Caitlin Morgan provides cyber insurance to healthcare entities as part of our comprehensive insurance program. Give us a call to find out more about our insurance program for healthcare facilities at 877.226.1027.
Sources: Anthem, Wall Street Journal, Associated Press