More than 80 million employees across the country who currently have, or have previously had health insurance through Anthem were in for a rude awakening recently when learning that the healthcare provider was the victim of what it calls a sophisticated cyber-attack.
The healthcare data breach is the latest in what seems to be a never-ending string of data breaches impacting a wide-range of industries, and the Anthem breach was potentially one of the largest to ever impact a healthcare organization.
This is the second time in recent history Anthem, specifically, has been hit, as in 2010 they were fined $1.7 million for a computer breach that resulted in a similar disclosure of personal information for approximately 612,000 people, a miniscule attack compared to the one that occurred recently. Early information indicates this single data security breach could affect more individuals than the last five years of healthcare record breaches combined, according to research by Forbes.
This is a major blow for HIPAA, and patient privacy, as social security numbers and other non-medical or financially sensitive data was potentially compromised and put into the hands of individuals who could use the information in phishing attacks disguised as communication from Anthem down the road.
What the Anthem Breach Means to Healthcare Providers
This is absolutely a wake-up call for large healthcare organizations, including Anthem, who is the unfortunate victim in this healthcare data breach, although steps could have been taken to prevent the Anthem breach from happening.
HIPAA does not require healthcare organizations to fully encrypt social security numbers and other patient-sensitive information, but does highly recommend it. While encryption would have certainly made it more difficult for hackers to access the information that was compromised in the Anthem breach, the MIT Technology Review doesn’t necessarily think encryption alone would have stopped the attack from taking place.
Encryption alone, after all is great for securing data in transit and at rest, but if credentials are compromised, encryption is relatively useless. The Anthem data was accessed after hackers gained access to at least five sets of employee credentials, according to US News in a sophisticated phishing attack. The author of the MIT article found it incredibly easy himself to identify which type of software Anthem uses to store it’s data just from a quick look at LinkedIn profiles of Anthem employees, while identifying those who has access to the database at the same time.
The Anthem breach in particular should be a wake-up call to every healthcare institution in regards to security. There is no such thing as being “HIPAA certified”, it’s all about adhering to HIPAA compliance, and taking steps in accordance to a set of best practices.
Healthcare organizations should take a good look at their security, completing their required HIPAA risk assessment and updating it if it’s been more than a year since their last audit.
While encryption alone will not prevent an attack, it is important to ensure that all data is encrypted in rest, storage and in transit. The Anthem data was not encrypted properly in all three phases.
Healthcare organizations should also ensure they have firewalls in place to block all traffic and whitelist connections as needed. Passwords should also be strong and secure, as to not invite hackers into sensitive databases with weak, generic passwords. All employees should also be trained on company policies in place to protect sensitive data from being accessed.
What the Anthem Breach Means to Employers & Patients
The unfortunate victims in this healthcare breach isn’t Anthem alone; it’s the 80 million individuals and families that potentially fell victim to the attack.
Anthem has notified employers of the data security breach, and those employers have in turn, notified their employees that their information has potentially been compromised.
Anthem is currently conducting an internal investigation to determine exactly who was impacted by the Anthem breach and when. They will notify affected individuals through written communication once exact victims have been determined.
There is no evidence that medical information or credit card information was compromised in the data security breach, and Anthem will be enrolling all affected members in identity repair services, and providing information to them on how to enroll in free credit monitoring.
The best thing an affected employee can do if they have been affected by the data security breach is to be mindful of any communication that appears to have come from Anthem. If asked for credit card or other sensitive information via email or phone that appears to be coming from Anthem, please, don’t do it. Anthem will never ask you for this information that could be another piece in the puzzle to completely compromising your identity, and your financial well-being.
Anthem has created a website – www.anthemfacts.com with a list of frequently-asked-questions and ongoing information about the Anthem breach as more information unfolds.
ThrottleNet is an Expert in Managed IT for Medical Offices
At ThrottleNet, we understand the compliance measures that go into HIPAA and the extra steps that need to be taken to ensure patient data doesn’t get compromised.
We have been a leader in providing managed IT support to medical offices in the St. Louis area for years. We understand the ever-changing compliance measures that our medical clients have to deal with on a day-to-day basis, and can provide a comprehensive IT solution fit for medical providers. Learn more about our Managed IT services and our experiences in the healthcare industry.
Contact us today to learn more and learn more about ongoing security threats and what they mean to consumers and businesses alike on our blog. Check out our TNtv web series on our website or on our YouTube channel to get more in-depth analysis on what really matters in tech today.