CareFirst, a well-known Blue Cross Blue Shield health plan, has become the third major health insurer this year to reveal that its computer systems had been breached by hackers [1]. This announcement comes in the wake of the mammoth breach of Anthem earlier this year.
Ironically enough, the hack was discovered while the firm was making cybersecurity upgrades. To date, it's been reported by CareFirst that as many as 1.1 million customers could be affected by the hack [2]. On the surface, it appears to be a case of too little too late with cyber security.
Being number three in this situation is definitely not an enviable distinction, the state of health care data security within the United States is severely lacking. With Anthem, an insurer listed as the second largest in the country, as well as CareFirst, it's not only a breach of data and lack of Health Insurance Portability and Accountability Act (HIPAA) privacy rule compliance. It is also a breach of trust with consumers and plans members.
Anthem was clearly advised about the need for increased data security, but the firm failed to encrypt patient Social Security numbers. As a result of the Anthem hack, 80 million current and former customers were exposed to serious risk with data that included names, Social Security numbers, birth dates, addresses, and income data. Company employees' data was also put at risk. There's still no definite information as to whether or not personal medical information and health records were hacked [3].
What the Healthcare Industry Can Do to Protect Data
While these types of breaches differ in their financial impact from those involving payment card industry (PCI) data, the consequences can be deep and lasting. Protected health information (PHI) is meant to be private and should be secured because it doesn’t take much to triangulate between a dataset and online activity to affect a real-world human being. Despite the high-profile nature of breaches, specifically, the potential damage done by those in the healthcare industry, IT security is severely lacking in the facilities of medical service providers.
These companies know they have a problem and are beginning to identify a trajectory to dig out [4]. But how long will this take? It is critical that companies put into place the proper measures to know when sensitive information is being accessed and by whom so that cases like these do not become more widespread.
References:
[1]http://www.slate.com/blogs/future_tense/2015/05/21/carefirst_insurance_h...
[3]http://www.wired.com/2015/02/breach-health-insurer-exposes-sensitive-data-millions-patients/
