No health insurance plan is too big to be hacked. Anthem, Inc. (formerly Wellpoint) the parent organization of Blue Cross and Blue Shield plans of a number of states including New York, announced on February 4 that hackers had stolen the information of perhaps ninety million subscribers. While there is, as of this writing, no indication that medical information was stolen, the information subject to the attack included such personal identifiers as Social Security Numbers, medical record numbers and dates of birth.
The breach, discovered last week but announced on February 4, marks a departure from recent cyber attack disclosures in that Anthem stated that it had discovered the breach itself, rather than learning of it from a notification by subscribers or others, and disclosed it quickly. Additionally this breach also affected Anthem employees, though whether the attack on their information included employee medical data has not been disclosed.
More information as to the vulnerability, and particularly whether Anthem relied, like many organizations, on single-factor authentication to gain access to subscribers’ sensitive information, may be revealed as the investigation continues. Regulatory agencies such as the U.S. Department of Health and Human Services, Federal Trade Commission and the Securities and Exchange Commission (Anthem, Inc. is a public company) and state attorneys general (Anthem has subscribers in fourteen states) will also undoubtedly investigate to ascertain whether previously known and less-than-robust information security controls contributed to the attack, thought to be the largest healthcare breach in U.S. history.
If you have questions regarding healthcare cybersecurity compliance, please contact Kenneth N. Rashbaum.