Close Close

Life Health > Health Insurance

5 reasons the Anthem hacking story should make YOU shiver

Your article was successfully shared with the contacts you provided.

For people involved with the distribution of medically underwritten insurance products, stories about hacking of big corporate databases may seem a little bit like reports of a few cases of Ebola cropping up on some distant continent.

Too bad for those folks, but you have appointments to remember and sales quotas to meet.

When Anthem Inc. (NYSE:ANTM) announced late Wednesday that it had detected an intrusion into one of its major databases, that was like seeing contagion control personnel in hazmat suits parking in your neighbor’s driveway.

Anthem has teams of compliance lawyers to understand the privacy and data security provisions in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Anthem also has teams of information technology specialists to apply its knowledge of HIPAA and the HITECH Act.

You may have to rely on whatever help insurers and technology vendors are giving you, along with the wise counsel of the techie sister-in-law who helped you set up your WiFi network. 

Meanwhile, hacked health records can sell for more than $10 each, and sometimes for as much as $1,300 each.

Insurers may have insulated you from the hazards of holding anything that HIPAA defines as “protected health information” (PHI) by re-working its underwriting procedures. If not, you could find that performing a task as simple as asking prospects and clients to fill out a simple screening questionnaire could expose you to unexpected risks.

To learn more about HIPAA PHI risks, read on. 


1. For HIPAA privacy and data security purposes, you’re probably a “business associate.”

The Centers for Medicare & Medicaid Services (CMS), an arm of the U.S. Department of Health and Human Services (HHS), has created a 10-page packet to help organizations determine whether they are “covered entities” for HIPAA purposes.

Most health plans are covered entities, and CMS has been getting serious about applying HIPAA privacy rules to health plans.

Some companies that look like something other than health plans may be covered entities in some situations. In other situations, they and their affiliates may act as “business associates,” or entities that use PHI and have to meet roughly the same privacy and data security requirements that health plans must meet.

In theory, a business associate that violated the HIPAA rules could face a civil penalty of up to $50,000 per violation. An associate found guilty of willful neglect and a failure to address a problem promptly could face a civil penalty of as much as $1.5 million per violation.

Data files

2. The HHS Office of Civil Rights could be starting “Phase 2″ audits any day.

CMS and HHS have applied the PHI rules to business associates since 2003, but, in practice, the HIPAA compliance enforcement body, the HHS Office for Civil Rights (OCR), has focused “Phase 1″ audits on covered entities, not business associates.

OCR officials began getting official approvals for the paperwork they would need to conduct “Phase 2″ audits, or audits of insurance agents and other business associates, about a year ago.

OCR officials decided to wait until they had set up an information submission Web portal to start the audits, but HIPAA compliance specialists say the Phase 2 audits could begin at any time.

See also: Phase 2 HIPAA audits


3. At one point, the HHS office in charge of the Phase 2 audits had lousy data security.

If OCR investigators do audit your business, one risk for you is that the investigators could collect sensitive information about you and your business, and that hackers could then get that information from the OCR investigators’ computers.

Officials with the Office of Inspector General at HHS reported in December 2013 that the OCR staff failed to comply with federal risk-management requirements for the three computer systems they used to do their own work.

See also: Data security office has bad data security

Credit card

4. Malware-spreading spam authors are getting more sophisticated.

Some spreaders of viruses, worms and keystroke loggers use email to sneak dangerous software onto victims’ computers.

In the past, many of those emails looked as if they were from senders who were up to no good.

Today, many senders of unsavory email have learned how to compose emails that look like real emails from a recipient’s credit card issuer, employer help desk or friends. The senders may have the victims fooled long enough to get the victims to click on one or more dangerous links. 

See also: 5 big cyber threats for small businesses

Bad password

5. Users are getting around onerous security precautions by using work-arounds that could render all of those sophisticated (but highly annoying) precautions useless.

Systems companies are trying to use sophisticated identity verification systems to reduce the risk of cyber attacks, but the awkwardness of using those systems may lead to behaviors that increase systems’ vulnerability.

Many companies, for example, now require users to create tricky passwords that include lowercase letters, uppercase letters, punctuation marks and special symbols. 

Some users cope by repeatedly re-using the same passwords for different systems. A hacker that finds one user password may find that it leads to entry into many different systems.

In other cases, companies are finding that users forget passwords so often that the companies now advise the users “to write the password down in a safe place.”If that safe place happens to be a paper note next to the user’s computer, in the user’s upper desk drawer, or in a file on the user’s virtual computer desktop, that may leave the user’s accounts vulnerable to snoopers who have access to the user’s office.

See also: New York: Join Security Information Program