By Christine Kern, contributing writer
In the wake of the announcement of the Anthem Data Breach, concerns rise over information security.
The Anthem data breach which exposed the account information of as many as 80 million customers has had a ripple effect through healthcare, raising concerns about the safety and security of personal information across the board. Now the health insurer is being accused of a failure to inform affected customers of the breach according to CNet, and The Wall Street Journal reports insurance regulators are launching an investigation into the data breach.
According to DataBreaches.net there have also been at least four lawsuits filed to date against Anthem in Indiana, California, Alabama and Georgia. The suits allege Anthem did not take adequate and reasonable measures to ensure its data systems were protected and that the 80 million Anthem customers whose information may have been affected could be harmed.
Anthem has also come under attack because the breached data was not encrypted. Although companies are not required by law to use encryption of date – and many do not – personal health information (PHI) and other sensitive data is often valuable to hackers and therefore commands a higher level of protection, according to some experts.
The Wall Street Journal reported Anthem’s decision to store the Social Security numbers of the 80 million customers without using encryption as the result of “a difficult balancing act between protecting the information and making it useful.” Scrambling data would indeed have made it harder for hackers to access, but it would also complicate the tracking of healthcare trends or data sharing by Anthem employees.
The Anthem hack thus thrusts the issue of data security squarely into the limelight. While attention is being directed to the impact of the Anthem breach and the possibility that other breaches may follow, it is also highlighting flaws in the existing legislation regarding the protection of health information.
The Health Insurance Portability and Accountability Act (HIPAA) encourages encryption of data, but does not require it. This lack of a clear encryption standard serves to undermine public confidence, The Huffington Post states, while the government continues to press the interoperability and exchange of EHRs and PHI.
“We need a whole new look at HIPAA,” David Kibbe, CEO of DirectTrust, the nonprofit working towards a national framework for secure electronic exchange of personal health information, told the Huffington Post. “Any identifying information relevant to a patient … should be encrypted. It should not matter whether the information is being transmitted via the Internet or being housed in a company database: the standard should be universal.”
The 2009 HITECH Act also sought to nudge the health care industry toward encryption, and required public disclosure of any health data breach affecting 500 or more people. It also created an exemption for companies that encrypt their data.
Under the HITECH law, the government set up a public database listing major breaches, known informally as the “hall of shame.” Breaches on that list affected more than 40 million people over a decade, meaning that the Anthem case could be twice as damaging as all previous reported incidents combined.