America’s second largest health insurance company announced in early February that it had fallen victim to a data breach that may have exposed the data of millions of clients. Anthem Health Insurance admitted that the names, birth dates, addresses, Social Security numbers and income data for as many as 80 million clients and employees were potentially compromised due to a lack of encryption. The company said that there is no evidence that financial or medical information was accessed during the breach.
With a toll in the tens of millions, the cyberattack could be the largest breach of a healthcare company ever, putting it on par with the breaches that took place at Target and Home Depot. The “very sophisticated external cyberattack” exposed the information of so many people that even the insurer’s chief executive was affected. Numerous brands of health plans are operated by Anthem, including Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Anthem Blue Cross and Anthem Blue Cross and Blue Shield.
Insufficient protection leaves data at risk
In a statement posted on the company’s website, Anthem claimed to have a state-of-the-art security system in place to protect privileged information, but the two most valuable pieces of data for identity thieves – Social Security numbers and birth dates – were not encrypted. Not surprisingly, this isn’t the first time Anthem has had client information exposed. A 2012 lawsuit between Anthem Blue Cross and the California Attorney General was settled after a claim that the insurer compromised 33,000 members of their plan when they sent letters with Social Security numbers clearly visible in the envelope windows. In 2013, the company again exposed the Social Security numbers of an undisclosed number of doctors and healthcare providers in a document posted to Anthem’s website.
While the information involved in the breach is not included under the Health Insurance Portability and Accountability Act, Anthem will still likely face lawsuits from those affected as they had plenty of warning that such an event was possible. Last summer, the FBI issued healthcare organizations a warning that hackers were targeting them more frequently in the wake of a large scale data breach against Community Health Systems in which 4.5 million patients had their data stolen. While the threat of data breaches have increased in every industry, the risks are even higher for healthcare organizations where companies keep massive amounts of personal information in large databases.