A data breach at Anthem, one of the country’s largest health insurance companies, left many in a vulnerable position with medical records in various black markets last month. With 80 million people on the exposed database and tens of millions known to be affected, this is now the largest healthcare breach to be recorded. No medical or credit card information was stolen, as the personal information is much more valuable. Information such as social security and medical IDs sell for several hundreds of dollars, compared to merely cents for credit card information, as identity thieves can use personal information for anything from creating aliases to committing medical fraud.
These breaches are becoming more and more sophisticated, as it isn’t necessarily one hacker guessing the password, getting through security and accessing a bulk of information. Often times, hackers can collaborate by seeing where others have discovered the weak areas in security. The technology has advanced to where they can now peruse through the databases masked as an employee. They can then pick and choose files to store in one area of the database to exfiltrate.
With the recent push for the conversion from paper to electronic bookkeeping in hospitals and insurance, the personal information of patients is now more likely to be accessed by those not authorized to do so, whether accidentally or maliciously. Thefts like this have now affected more than 1.8 million U.S. citizens. These also allow hackers to illegally gain medical services, easier access to drugs and the ability to con private insurers and government benefit programs.
USA Today reports that as “no medical information appears to have been stolen, the breach would not come under HIPAA rules, the 1996 Health Insurance Portability and Accountability Act, which governs the confidentiality and security of medical information.”
I do not agree with this statement. HIPAA rules do not state that in order for a patient’s medical record to be compromised, one must illegally obtain their record and use that for nefarious purposes. HIPAA is the doctor-patient confidentiality code in which none others are to be told of the patient’s well being without the patient’s disclosure. I personally believe that this breach falls well under HIPAA laws.
To know that there are strangers out in the world that could and probably have, at one point, see my medical records and were able to attach my name to various procedures and health history is quite unsettling. This can be very personal information that I would not disclose to just anyone.
Also, this can be an issue of national security. There are many government officials that go out of their way to keep their identities out of public light and often use aliases for security reasons. However, they do use their real identities in the case of health care. Now they are put in a compromising position as their identities–linked to those of their families as well–can be used against them in certain situations.
Also, there are now rumors that the breaks in security at Anthem originated in China. This leads to a greater issue on an international level. These could be independent hackers acting on their own volition. However, if they were to be acting on orders from the government, we also have foreign ties to remedy.
There should be stricter regulations in place for when another cyber attack occurs. Anthem can be applauded for notifying the FBI immediately after the hack. This is an action that should be controlled with a security alert. With any suspicious activity occurring on the database, if someone could develop a program in which this could notify authorities, we would be closer to preventing such attacks.
We should focus our attention on preventative measures as it could decrease the number of consumers who now feel like victims due to our lack of security.