Anthem breach enforces the need for encryption at rest as well as in transit

Anthem, the second largest health insurer in the US, announced last week that personal information of up to 80 million customers and employees was the subject of a “very sophisticated external cyberattack”.

There have been 40 million people affected by data breaches from multiple entities in the last decade; this breach has the potential to be twice as damaging as all previously reported incidents combined.

While the exact cause of the breach has not yet been revealed in full, hackers were able to access data including names, birthdays, medical IDs/Social Security numbers, street addresses, email addresses and employment information, including income data which is already being used to send out phishing emails.

According to experts, Anthem did not encrypt the data it stored in the same way that it did when sharing medical information outside of its database. Furthermore, it has been reported that Anthem did not store data in separate databases that could be locked if an attack occurred.

Lawsuits have already been filed against Anthem following the data breach. This is the largest breach in the healthcare industry ever reported, and is likely to result in record breaking fines being handed out, beating the current highest $4.8 million settlement that occurred as a result of a joint breach involving New York-Presbyterian Hospital and Columbia University.

A PriceWaterhouseCoopers study found information security incidents rose by 60 percent in the healthcare industry in 2014, so even with stringent measures in place, the Anthem hack should be a wake up call for organizations that are not taking encryption as seriously as they should be.

Under the current HIPAA privacy rule, organizations aren’t required to encrypt consumers’ data – this is only an ‘addressable’ part of HIPAA. While it encourages encryption, but doesn’t require it, this omission seems striking in light of the major cyberattack against Anthem.

Although the type of data stolen did not include medical information, it is still covered by HIPAA as the personally identifiable information contained in health plans includes names and Social Security numbers.

The HITECH Act passed in 2009 sought to nudge the healthcare industry towards improving  security when storing and transmitting ePHI by increasing fines for violations, and by launching a database that publicly discloses any health data breach affecting 500 or more individuals.

Encryption has been seen as a controversial issue in the healthcare industry, particularly with data that’s only being stored and not transmitted. The HIPAA privacy rule still states that encryption is not mandatory, and while Anthem spokeswoman Kristin Binns stated that “encryption would not have thwarted the latest attack because the hacker also had a system administrator’s ID and password” she further stated that “the company normally encrypts data that it exports”.

In today’s environment, end to end encryption should be expected from all healthcare providers and their business associates, and encrypting data only when it’s moved out of the database is not good enough, as demonstrated in a huge number of breach incidents that have occurred in the last few years.

For more information on preventing HIPAA violations, contact a member of our team today, or find out more about how DocbookMD protects data in transit and at rest.