Anthem Breach Triggers Regulatory Pressure

By: Arieanna Schweber | 3/6/2015

Healthcare insurance provider Anthem recently suffered a major data breach, one affecting as many as 80 million customers from Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem. Anthem is already facing more than 50 class-action lawsuits over the breach with allegations that Anthem did not take appropriate measures to protect customer data.In addition to lawsuits, the breach has triggered actions by regulators, who will be investigating this breach and stepping up assessments in the insurance industry.

Anthem Breach Triggers Lawsuits

The Anthem breach included names, medical identification, Social Security numbers, birthdays, email and street addresses, employment and income data. This breached data was not encrypted, which has been a core argument in lawsuits that have been filed against Anthem. According to lawyers at Weitz & Luxenberg, some victims of the data breach are already being targeted with phishing scams, though the information could be used to perpetuate financial fraud.

"This theft is the result of Anthem's failure to implement cyber security measures commensurate with the duties it undertook by storing vast quantities of sensitive customer data," said Robin L. Greenwald, who heads Weitz & Luxenberg's Environmental, Toxic Tort & Consumer Protection Unit.

Aside from the 50 current class action lawsuits currently pending, Anthem could face private civil suits as well as both state and federal sanctions. Since Anthem operates in every US state and territory, the financial implications of this breach are staggering.

Anthem Breach Triggers Industry-Wide Regulatory Actions

The National Association of Insurance Commissioners (NAIC), a group representing state regulators, called for a multi-state examination of Anthem and its affiliates, with hopes that all 56 states and territories would sign on to the examinations. Since health insurance is mostly regulated at the state level, regulators in each state can impose sanctions independently. Of course, this does not preclude additional sanctions under the federal Health Insurance Portability and Accountability Act (HIPAA).

Timed with its new report on cybersecurity in the insurance industry, and given added credence in light of Anthem’s breach, New York's Department of Financial Services (DFS) announced that will will be conducting regular, targeted assessments of cyber security preparedness at insurance companies and will be issuing heightened standards for cyber security.

Superintendent Lawsky said: “Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”

What to Learn from the Anthem Breach

Although medical records were not breached, this breach still goes down as one of the largest personally identifiable information (PII) data breaches in history. Though Anthem was the target of a sophisticated cyber attack, the lack of data protection is the real clincher in this case.

Many news articles focus on encryption as the “answer” to protecting consumer data in this case. Although not mandated by HIPAA, encryption does offer a first-line protection for data. The reality is, however, that encryption is only one piece of the puzzle, whether it’s a part of protecting data on the network or on the endpoint. You must be able to prove encryption was in place and working in order to satisfy compliance auditors. Most fulldisk encryption programs are vulnerable to cold boot attacks and all software-based encryption systems are vulnerable to various side channel attacks. Encryption can be bolstered by a persistent security and management solution.

6 Steps to Avoid a Healthcare Data Breach

[youtube height="HEIGHT" width="WIDTH"][/youtube]

  • Encrypt PHI stored on portable devices including laptops, tablets, and smartphones
  • Choose a persistent endpoint security and management solution that will allow you to maintain a connection with a device regardless of user or location
  • Run status reports to prove encryptions solutions were in place and properly working during and after an endpoint security incident (this is an important step to satisfy the rules set by the HHS Office for Civil Rights)
  • Use security software that allows you to perform remote actions on an endpoint such as data delete, data retrieval, device freeze, and forensic investigations
  • Review and update HIPAA privacy and security policies so you’re up to date with regulatory compliance requirements
  • Learn from peer organizations that have experienced a data breach (like this Anthem breach) and make necessary adjustments to ensure you don’t suffer the same fate

Healthcare organizations around the world rely on Absolute Software to secure devices and the sensitive patient data they contain. Close to 80% of healthcare data breach scenarios can be mitigated with Absolute Software. Learn more here.

Financial Services