Health insurance giant Anthem is the latest victim of a major data breach that exposed tens of millions of customers and employees’ names, birthdates, and Social Security numbers (including the Anthem CEO’s). That makes it the largest healthcare breach to date, according to Vitor De Souza, a spokesman for Mandiant, the computer security company Anthem hired to evaluate its systems, who was quoted in USA Today.
Anthem reported that no actual medical information was stolen and that the breach would not come under the rules of Health Insurance Portability and Accountability Act (HIPAA), which governs the confidentiality and security of medical information.
The Office for Civil Rights, a small unit of the U.S. Health and Human Services Department (HHS) charged with enforcing HIPAA privacy rules, disagrees that HIPAA does not apply, according to a report in US News & World Report. The agency issued a statement that the kind of personal data stolen by the Anthem hackers is covered by HIPAA, even if it does not include medical information.
Either way, this incident illuminates a major loophole in the HIPAA regulation regarding encryption. HIPAA encourages encryption of consumers’ personal data but does not require it – a situation that could change as a result of the Anthem breach. US World News & World Report reported that the Senate Health, Education, Labor and Pensions committee “plans to examine encryption requirements as part of a bipartisan review of health information security.”
The incident certainly highlights the importance of organizations taking steps to properly protect the information they retain on their customers and employees. ARMA’s Generally Accepted Recordkeeping Principles® draw attention to this need in the Principle of Protection: “An information governance program shall be constructed to ensure a reasonable level of protection to information that is personal or that otherwise requires protection.”
As hackers become more sophisticated and customers become more aware of their personal information that may be at risk, it is incumbent on organizations to “up their game” to protect information in their possession by implementing technology that can prevent hacks, as well as insider leaks, and to ensure employees are aware of their responsibilities to protect company information.
In addition, organizations should develop data breach notification programs so they can respond quickly. Data breach laws vary by legal jurisdiction, but they generally include a requirement to notify those affected individuals in a timely manner.
The National Conference of State Legislatures maintains a list of data breach requirements by state, which can be accessed here: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
The International Association of Privacy Professionals also has a number of resources and checklists available to guide the development of an organization’s data breach response program. These resources can be accessed at www.privacyassociation.org.
Read more: http://www.usnews.com/news/politics/articles/2015/02/07/no-encryption-standard-raises-health-care-privacy-questions and http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/