Health insurer, Anthem, Inc., is the latest organization to become a victim of a cyberattack. On January 29, 2015, Anthem, Inc., which is the parent company of Blue Cross and Blue Shield, Connecticut’s largest health insurer, determined that hackers had invaded its network and obtained the personal information of more than 80 million customers and employees. Based on preliminary reports, it is believed that the hackers obtained customers’ and employees’ names, addresses, birth dates, Social Security numbers, email addresses, employment information, income data, and medical identification numbers, but the hackers did not obtain medical and financial information.
In Connecticut, the breach could impact more than 1 million customers. Connecticut Governor Dannel Malloy has instructed residents to monitor all financial accounts because individuals may use the obtained information to open new lines of credit, open new credit cards, and steal tax refunds. In addition, experts have cautioned that hackers may use the combination of an individual’s Social Security number and medical information to perpetuate identify theft and email phishing scams, and to file false insurance claims.
It has been reported that the compromised information was particularly vulnerable because Anthem did not encrypt the data. The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities and health plans, such as health insurers, encrypt electronically protected health information. Specifically, the HIPAA Security Rule establishes administrative, technical, and physical safeguards that entities must use to protect the confidentiality and security of individuals’ electronic protected health information. Given that encryption can be a powerful tool in thwarting hackers’ infiltration attempts, it is worthwhile for businesses to encrypt confidential personal information even if businesses are not legally mandated to do so.