A Deeper Look Into the Anthem Data Breach – Was HIPAA Data Exposed?

This week Anthem Health Insurance reported what will most likely be the largest breach of HIPAA Data in the history of the HIPAA Security Standard. According to Anthem’s initial official statement, “there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” However, the “attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

Although there will be much more discovery, discussion and ruling on the full scope of the breach (including who’s behind it), the issue of the type of information accessed is likely to become a critical focus of conversation. For this to be considered a HIPAA breach, Protected Health Information (PHI) as defined by HIPAA and HITECH Security Rules would have to be involved. According to Sarah Badahman, CEO of HIPAATrek, a person’s name, address and social security number (identifiers confirmed as part of the Anthem breach) are in fact included within the 18 points of data that make up PHI. The average fine up to this point for a HIPAA breach has been approximately $700 per record. Multiply this by nearly 80 million records and this has the potential to become the world’s largest fine in addition to potentially being the largest breach of PHI.

Preventing Data Breaches

While clearly an unfortunate situation no matter how it plays out, there are lessons to be learned and actions other companies can take now to reduce the risk of a data breach. Within any PHI Environment, these personally identifying elements are stored – or “hosted” – in data repositories such as file shares, databases, application data sets and FTP targets. HIPAA and HITECH dictates that these repositories use “Commercially Acceptable Safeguards to render the information Unreadable, Undecipherable and Inaccessible to outside parties.” To anyone in the industry this would mean data encryption, and it would include not only encrypting the data at rest on the disk, but also while it is in transit between the Web, Application and Database layers of the application(s) that store and access the PHI.

In addition to encrypting this data, a HIPAA Compliant environment also needs access controls, Intrusion Detection Systems (IDS), password management, and a consistent approach to security patches to correct software vulnerabilities. Policy Management, File Integrity Management and Centralized Logging Services round out a secure HIPAA Compliant solution. Implementing and managing these items require engineers experienced with HIPAA Compliance, and proven security processes. If properly implemented, however, they can mean the difference between a simple intrusion attempt that gets blocked and the world’s largest HIPAA Breach.

Check back for more specifics and action items for companies who must protect PII, PHI and financial data. Learn more about Connectria’s long-standing expertise in HIPAA Compliant hosting, and most recently developed HIPAA Compliant AWS support.