On February 4, health insurance giant Anthem, Inc., announced that it was the victim of a cyber attack. Hackers were able to gain access to a database that contained the data of approximately 80 million records of current and former Anthem customers and employees. Anthem reported that the data included the names, dates of birth, addresses, Social Security numbers, emails, employment information, and income data. No medical or credit card information was compromised. In an era of frequent data breaches, the Anthem cyber attack is one of the largest breaches of customer information to date.
Where there is a breach, there are legal ramifications to follow. More than 50 class-action lawsuits related to the Anthem breach have already been filed within a month. Anthem and its plans could find themselves held legally responsible for the breach under the federal Health Insurance Portability and Accountability Act (HIPAA) privacy and security law as well as state laws. They likely also face a rising number of private civil suits.
A number of state attorneys general have been outspoken about steps they intend to take to protect consumers following the breach. In a February 10 letter sent by the Connecticut Attorney General on behalf of attorneys general in a number of other states, the Connecticut AG expressed concern with Anthem’s delay in notifying those affected (the breach was discovered on January 29) and providing the credit monitoring services it had promised. In addition, the letter asked Anthem to compensate consumers for any losses associated with the breach during the period between the date of the breach itself and the date Anthem provided customers with access to credit and identify theft safeguards.
The big question with this cyber security breach is why member information was not encrypted to prevent files from being accessed by unauthorized personnel and hackers. The Anthem cyber security attack has highlighted that HIPAA does not require encryption of member data.
[bctt tweet=”@theHCCA The Anthem cyber security attack has highlighted that HIPAA does not require encryption of member data.” via=”no”]
Security and legal analysts have already begun compiling a list of lessons in the wake of the Anthem breach. First and foremost, information should be encrypted. Security analysts have roundly faulted Anthem with a failure to effectively encrypt the data. Additionally, the Anthem breach underscores the importance of implementing strong cyber security governance and conducting cyber security audits to determine how cyber security is managed within an organization. Also, as evidenced by the outspoken responses from state attorneys general, states are increasingly focused on the speed of data breach notification and clearly delays of even a few days may not be tolerated. For that reason, organizations need to prepare for the event of a breach because even with the latest network protections, there is always a chance cyber criminals can launch a successful attack. This means working to alert key stakeholders, coordinate appropriate outreach plans and align the necessary legal counsel.