Anthem, previously known as WellPoint, Inc., the nation’s second-largest health insurance company, recently suffered a sophisticated external cyberattack. Reportedly, 80 million of Anthem’s insureds had personal information stolen when Anthem was hacked.
According to Anthem president and CEO Joseph Swedish, the hackers gained access to Anthem’s computer system and got the information, including names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, and employment information, including income data.
The affected database had records for approximately 80 million people in it, “but we are still investigating to determine how many were impacted. At this point we believe it was tens of millions,” said Cindy Wakefield, an Anthem spokeswoman.
That number would make it “the largest health care breach to date,” said Vitor De Souza, a spokesman for Mandiant, the computer security company that Anthem has hired to evaluate its systems.
USA Today opined that, because no actual medical information appeared to have been stolen, the breach would not come under HIPAA rules, which governs the confidentiality and security of medical information. This conclusion appears problematical because HIPAA not only protects medical (clinical) information but also protects financial, democratic, and lifestyle information. It is inconceivable that the second-largest health insurance company in the nation would not have such protected health information (“PHI”). Tim Eades, CEO of computer security firm vArmour in Mountain View, CA, stated that the hackers “were probably not interested in medical information” and that “the personally identifiable information they got is a lot more valuable than the fact that I stubbed my toe.” No credit card information was obtained, the company said in a statement emailed to USA Today, which seems to belie any conclusion that it is not a HIPAA issue.
Nor does the USA Today opinion take into account the risk of medical identity—that is, that hackers may be targeting patients with health insurance so that others can impersonate them and receive their health benefits. The risks of medical identify theft may be greater than garden variety identity theft. The one using the PHI to get treatment will generate a record that may be used by a subsequent provider who is working on the real patient, so the theft could even be life-threatening.
In a similar although not life-threatening situation, an attendee at one of my seminars told me that she had lost her wallet on vacation in Florida. Several years later, she returned to Florida and was stopped for speeding. When the law enforcement officer ran her license, she quickly found herself behind bars for felony child abandonment. The woman who had found the lost wallet had used the identity cards in it to have a baby as the woman who had lost the wallet and had then abandoned the baby. The victim of the medical identity theft beat the rap when the DNA test provided that it was not her baby, but she spent several uncomfortable weeks in jail until she made bail and had to hire a Florida defense attorney. Then, she recounted that she had had a two-year fight with the health plans and providers who were trying to recover the costs from her.
Anthem has established a website where members can access information about the breach. There is also a toll-free number for current and former members to call, 877-263-7995.
The FBI is investigating the breach. Customers whose information has been stolen should report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center.
Although most of the HIPAA breaches to date have involved no risk analysis and defective policies and training, technical breaches, such as involving hacking, certainly appear to be on the rise. Perhaps, if Anthem had conducted a good penetration test and had implemented regular scanning to determine how secure its system was from hackers, it could have avoided this major breach, HIPAA or otherwise.
As a reminder, if you need to perform/update your risk analysis, draft/update your policies and procedures, provide initial/refresher training, and need help with any or all of those tasks, go to our Veterans Press website and/or call our marketing director, Patrick R. Head II, toll-free at 855-341-8783, or email him at patrick@veteranspress.com. If you need help with pen testing and scanning, contact IT guru Brent Sadler of WCCiT in Salina, KS, at brent@wccit.com.