News Feature | February 20, 2015

Anthem Breach Leads To Push For Encryption Legislation

Christine Kern

By Christine Kern, contributing writer

Retail Breaches

The lack of encryption standards for health insurers raises questions about the safety of healthcare data.

The Anthem data breach which left the account information of as many as 80 million customers vulnerable has many lawmakers pushing for new encryption standards for all health information. Anthem has also come under attack because the breached data was not encrypted.

Although companies are not required by law to use encryption of date – and many do not – personal health information (PHI) and other sensitive data is often valuable to hackers and therefore commands a higher level of protection, according to some experts.

Now the Senate Health, Education, Labor, and Pensions Committee is planning to examine encryption requirements as part of a bipartisan review of health information security, according to U.S. News & World Report. Jim Jeffries, spokesman for Chairman Lamar Alexander (R-TN), explained, “We will consider whether there are ways to strengthen current protections.”

The enforcement of privacy rules as established under HIPAA is conducted by the Office for Civil Rights, a small unit that operates as part of the federal Health and Human Services (HHS) Department. The Office of Civil Rights is currently treating the Anthem breach as a privacy law matter, even though it has yet to be notified directly by Anthem regarding the hack, according to U.S. News & World Report.

In a statement, the Office of Civil Rights said HIPAA regulations cover the type of personal data affected by the Anthem breach, even though it did not include specific medical information. “The personally identifiable information health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed,” the statement said.

Indiana University law professor Nicolas Terry told The Californian that, at the time, it appeared the 2009 HITECH Act struck a reasonable balance, creating incentives for encryption while stopping short of imposing a one-size-fits-all solution. But now, Terry thinks that the compromise has been overtaken by events.

“In today's environment, we should expect all health care providers to encrypt their data from end to end,” said Terry, who specializes in health information technology. If healthcare providers – including insurers – are not stepping up to the plate and strengthening data security voluntarily, then “HHS should amend the security rule to make encryption mandatory,” he said.

As data breaches continue to occur, affecting large numbers of individuals, attention will be drawn more tightly to required encryption of personal information. Another recent hack, at the UC Davis Medical Center last fall, also brought the issue of encryption to the forefront.

Nearly 39 million people have had their PHI compromised in HIPAA privacy and security breaches, involving 500 people or more, according to data from the Department of Health and Human Services. Hacking breaches constitute nearly 10 percent, or 3.7 million people, of all HIPAA privacy and security breaches, according to HHE.