Insurance Commissioners, Congress Investigate Anthem Data Breach
February 10, 2015 in News
On Friday, the National Association of Insurance Commissioners announced that it will investigate a recent data breach at health insurer Anthem, which affected the private information of up to 80 million people, the Wall Street Journal reports (Wilde Mathews, Wall Street Journal, 2/6).
Background on Anthem Data Breach
Anthem last week announced that hackers had accessed a database containing the personal information of its customers, former customers and employees. Anthem spokesperson Cindy Wakefield said the company is “still investigating to determine how many were impacted.” The company said it did not yet know the source of the cyberattack (iHealthBeat, 2/6).
Following the data breach announcement, Anthem issued alerts to its customers about “scam email campaigns” that could try to take more of their personal data (Terhune, Los Angeles Times, 2/6). In a statement, Anthem officials said the emails look as if they come from the company and request that recipients click on a link to sign up for credit monitoring services. Anthem said individuals who receive the emails should not click on the links or enter information into any websites (Reuters/Washington Post, 2/6).
The company said it would contact those affected by the breach via mail with instructions on how to enroll in identity protection and credit monitoring services (Los Angeles Times, 2/6). Anthem said it would not contact individuals by phone and it would not ask for customers’ credit card or Social Security numbers by phone (Reuters/Washington Post, 2/6).
NAIC Investigation Details
NAIC President Monica Lindeen said the group’s members decided that “an immediate and comprehensive review of the company’s security must be a priority to ensure protection of consumers who are covered by Anthem.”
According to the Journal, the investigation likely will include a probe of Anthem in all U.S. states and territories. Insurance regulators in states where Anthem has the strongest presence will lead the investigation, such as those in:
- Indiana; and
- Maine (Wall Street Journal, 2/6).
For example, California Insurance Commissioner Dave Jones (D) said regulators in the state “will cast a very wide net,” looking into whether Anthem:
- Acted on earlier warnings regarding its security weaknesses; and
- Should have implemented stronger security measures, such as data encryption, before the attack.
Jones added, “We will be looking at anything that might have a bearing on the data breach and what could have been done to prevent it” (Los Angeles Times, 2/6).
Anthem officials said the company will fully cooperate with the review, noting that it has “taken quick action to enhance [its] systems and security processes” while remaining focused on investigating the breach (Wall Street Journal, 2/6). Anthem spokesperson Darrel Ng said the company is “working with FBI and cybersecurity experts so that we can determine the extent of this security breach and notify our customers.”
House, Senate Lawmakers Look Into Breach
Meanwhile, House Energy and Commerce Committee Chair Fred Upton (R-Mich.) said his committee met with Anthem representatives about the attack on Friday. He noted, “Companies have been warned that it’s not a matter of if they will be infiltrated but when. That’s why we’re continuing hearings and opening new lines of investigation” into the breach (Los Angeles Times, 2/6).
Separately, Senate Health, Education, Labor and Pensions Committee Chair Lamar Alexander (R-Tenn.) and Sen. Patty Murray (D-Wash.) on Friday announced an initiative to refocus efforts to improve health data security following the Anthem attack.
According to The Hill, the efforts will investigate how well health care companies are protecting consumers’ personal data. The group will also work with insurers and government agencies to help reduce the risk of future attacks (Ferris, The Hill, 2/6).
Breach Points to Hole in Health Privacy Law, Experts Say
Meanwhile, experts say the Anthem breach has revealed a hole in HIPAA, which regulates the privacy of health care data, the AP/San Francisco Chronicle reports (AP/San Francisco Chronicle, 2/6).
HHS’ Office for Civil Rights urges health care companies to encrypt as much data as they can. However, HIPAA does not require encryption when data are stored, only when data are shared.
According to experts, Anthem did not encrypt the consumer data it stored as it did for medical information that was shared outside of its database. In addition, Anthem — like many other health care organizations — did not store personal data in separate databases that could be locked if an attack occurs, experts said (iHealthBeat, 2/6).
Experts said HIPAA’s lack of encryption standards for stored data weakens public confidence that companies can keep records safe, particularly when the federal government is pushing initiatives to expand the use of electronic health records and promoting data sharing among providers. DirectTrust CEO David Kibbe said, “We need a whole new look at HIPAA. Any identifying information relevant to a patient … should be encrypted,” regardless of whether the information is being shared.
However, some observers argue that encryption of stored data could make the daily processes for some companies more cumbersome and add costs. In addition, the data still would be at risk if a hacker deciphers the encryption code or steals the key. For example, Anthem spokesperson Kristin Binns said encryption would not have stopped its recent data breach because the hacker used a system administrator’s ID and password to enter the system (AP/San Francisco Chronicle, 2/6).