The massive data breach announced last week by health insurer Anthem Inc. exposed the personal information of up to 80 million customers and brought more attention to the data security practices of two already highly regulated industries — healthcare and insurance.
The National Association of Insurance Commissioners (NAIC), for example, announced that it will investigate Anthem’s security practices to determine the need for updated protocols and increased regulation.
In addition, the breach also raised questions about the adequacy of the nation’s primary federal health privacy law, the Health Insurance Portability and Accountability Act (HIPAA), and its failure to require insurers to encrypt customer’s personal information. This may come as a surprise to some consumers who have a reasonable expectation that their healthcare information will remain private and that regulators are requiring the highest level of security standards.
Using the number of cyber-related cases as a benchmark, the insurance industry has had a relatively decent record for data security over the years but the healthcare industry has been less than stellar. Although the number of cyber cases involving healthcare companies has remained fairly steady since 2010, it still remains one of the leading industries for cyber-related losses according to Advisen’s Loss Insight data. However, increased regulatory scrutiny on the heels of Anthem’s breach could cause a spike in cyber cases for these industries in the coming years.
Fraudulent credit card charges and hacked bank accounts are huge concerns for many consumers but a breach of personal health information (PHI) may be a bigger threat. As a whole, these industries are not nearly as competent at securing data as financial institutions and the type of information they collect is more attractive.
On the hacker black markets, PHI “is even more valuable than credit card data,” selling for approximately 10 to 20 times the value of credit cards according to McAfee Labs’ Threats Report. Consequently, “Personal Privacy” represents a significant portion of the data lost by both the insurance and healthcare industries.
The exact cause of the Anthem breach is still under investigation but initial reports point to a hijacked employee log-in. The attackers accessed the names, social security numbers, birthdates, home addresses, email addresses and employment information of millions of customers from Anthem’s database. According to Advisen, “servers” represent a significant source of data loss for both the healthcare and insurance industries.