Health insurance providers are clearly an attractive target for cyber criminals. 2015 has so far seen data breaches affecting health care information held by Anthem, Lone Star Circle of Care, UMass Memorial Medical Group, California Pacific Medical Center, St Peter’s Health Partners, the US Postal Service, and TRH Health Plan. Now comes a new batch of cyber attacks.
Premera Blue Cross, LifeWise, and Advantage Dental have all reported data breach incidents this week, affecting a total of about 11.4 million customer records. Here are the details:
Premera Blue Cross
Number of affected records: 11 million.
Type of personal information compromised: “name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information.”
Details: “On January 29, 2015, Premera Blue Cross (Premera) discovered that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems. Our investigation further revealed that the initial attack occurred on May 5, 2014. As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack…
“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc…. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.”
More information is available at premeraupdate.com.
LifeWise
Number of affected records: 150,000
Type of personal information compromised: “name, date of birth, address, telephone number, email address, Social Security number, member identification number, bank account information, and claims information, including clinical information.”
Details: “On January 29, 2015, LifeWise discovered that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems. Our investigation further revealed that the initial attack occurred on May 5, 2014. As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack…
“This incident affected LifeWise Health Plan of Washington, LifeWise Health Plan of Oregon and LifeWise Assurance Company. It also affected LifeWise Health Plan of Arizona, which no longer does business in that state…
“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected.”
More information is available at lifewiseupdate.com.
Advantage Dental
Number of records affected: 151,626
Type of personal information compromised: “name, date of birth, phone number, social security number, and home address. No treatment, payment, or any other financial data was accessed.”
Details: “The unauthorized access occurred between February 23, 2015 and February 26, 2015. The intruder was able to gain access to this database through a computer that had been infected with malware. Advantage terminated the illegal access immediately upon discovery on February 26, 2015…
“Since terminating the illegal access, Advantage has been reviewing and improving its safeguards, implemented mitigation steps to prevent further access and has been working with law enforcement to properly determine the scope of the incident and any additional steps that might be required.”
More information is available at advantagedental.com.
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.
