The recent cyberattack on Anthem, Inc., one of the largest health insurance companies in the United States, illustrates the persistence and severity of the risk of data breaches. On February 4, 2015, Anthem confirmed that one of its databases had been hacked. The data breach exposed personal information of approximately 80 million Anthem customers and employees—including names, birthdays, member health ID and Social Security numbers, street addresses, telephone numbers, e-mail addresses, and employment information—potentially the most damaging cyberattack to date on a health insurer.
Noting a pattern of medical data thefts from health insurers by foreign intelligence organizations, the FBI concluded that the attack was likely the work of Chinese hackers attempting to gain access to the networks of defense contractors and government workers. Moreover, while hackers have targeted healthcare providers, similar attacks on companies like Target, Sony, JP Morgan Chase, and Home Depot, signify the risk to all types of businesses.
One obvious implication for businesses that fall victim to these attacks—beyond negative press—is the exposure to liability for the resulting invasion on individuals’ privacy. For instance, individuals have already begun filing class action lawsuits for this particular breach, asserting that Anthem should be held responsible given its inadequate security measures—namely, its failure to employ encryption to prevent unauthorized access to their personal information.
What Steps are Officials Taking to Protect against Cybersecurity Threats?
In response to this latest hack, on February 13, 2015, President Barack Obama announced an executive order intending to assist in protecting companies from cybersecurity threats by encouraging them to voluntarily share more information of cyber threats with one another and with the government. While this is certainly a step in guarding against cyberattacks, there remains a strong need for cybersecurity legislation imposing mandatory information-sharing and shielding companies from legal liability for over-sharing. However, it may take some time for Congress to strengthen cybersecurity laws given the concerns over intrusive government surveillance practices and the potential use of encryption to disguise criminal activity.
How can Businesses Protect Data from Hackers in the Meantime?
Considering the fact that the major weakness in Anthem’s cybersecurity was its failure to encrypt data, encryption is an important precaution for businesses. However, encryption is a safeguard, not a guaranteed protection. Thus, businesses should be sure to become familiar with and implement updated data breach detection and response policies in order to mitigate the harm.
One particularly important cybersecurity consideration is required disclosure of a breach. In addition to reporting the incident to the appropriate federal regulator to ensure prompt identification and elimination of the threat, under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers like Anthem may be required to make certain notifications to former and present employees and their dependents, federal regulators, and the media. While some state data breach notification laws defer to HIPAA, specific laws of each state should be reviewed to ensure notification plans comply with any additional reporting or safeguard requirements.
At our law firm, we assist clients in legal issues related to cybersecurity breaches. You may contact us in order to set up a free consultation.