Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29th and contacted the FBI, which has started an investigation into the matter.
Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”
Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.
The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.
To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.