The wsj.com points out in an article that Anthem Inc, the health insurer that recently announced a massive data breach potentially affecting 80 million people, did not use health data encryption to secure the data that was stolen. It also points out that applying encryption can be a “balancing act between protecting the information and making it useful.”
80 Million People Affected
The details of the breach are as follows: Anthem Inc., which in years past was also known as Wellpoint, found last week that hackers – potentially backed by the Chinese government – broke into the health insurer’s online database. The extent of the damage is as of yet unknown although the company has admitted that all of its business units have been affected. The company boasts 80 million members.
The stolen information includes addresses, phone numbers, names, dates of birth, and Social Security numbers. Financial information such as credit card numbers were spared. It is pointed out that this could be “the largest computer data breach disclosed by a health-care company,” meaning that it will also be the largest breach listed on the HIPAA “Wall of Shame.” Currently, top spot is held by Science Applications International Corporation (SAIC), thanks to the 4.9 million military members who were affected when it experienced its own massive data breach in 2011.
It looks like Anthem will blow SAIC out of the water. Interestingly enough, the company already had a run-in with the HHS before, for HIPAA data security violations: in July 2013, it settled with the HHS for $1.7 million when it was still known as Wellpoint (well, technically Anthem and Wellpoint merged).
Slowly Tilting Toward Encryption
There’s a reason why HHS does not require the use of encryption anywhere and everywhere sensitive personal data is stored: sometimes, it just might not be possible. Consider, for example, an MRI machine. The gigantic magnetic cocoon is only part of the machine; a computer that collects and processes the data is another part. Whether this computer can be encrypted is not really up to individual hospitals and clinics, but to the manufacturers. Likewise, there are myriad reasons why a particular database is not encryptable (although, in this day and age, the odds of that reason being a technical one would be remote).
However, it seems that HIPAA covered entities will have to bite the bullet and find ways to ensure that all of their patient data are encrypted: forking over $1 million or more on a periodic basis, inviting the wrath of clients (and their lawsuits), having HHS/OCR oversee their operations for months on end after an incident, dealing with the consequences for years (the breach that resulted in the Wellpoint settlement of 2013 goes back to June 2010), etc. is really not worth the trouble of not using encryption, or making it a point to choose hardware that can be properly protected.
Related Articles and Sites: