The big data breach at Anthem Inc. (NYSE:ANTM) was bad for Anthem, and any other players in the U.S. health care system that would prefer to spend money on providing and improving care for patients, rather than on beefing up data security.
The attack affected an unencrypted database that may have held up to 80 million past and present customer records. The attack does not seem to have involved the theft of credit card data, medical records or insurance claim information, but it apparently did expose names, birth dates, Social Security numbers, e-mail addresses and employee income data.
Katie Benner, a columnist at Bloomberg, is reporting speculation that hackers affiliated with the Chinese government could be responsible, and that the hackers’ goal may have been to get into the records of workers’ at defense contractors.
Clearly, the attack could be wonderful for the hackers and their sponsors, and lucrative for the lawyers of the people with records affected by the data theft.
Who else could get lemonade out of the hacking lemons?
For a few ideas, read on.
1. Health data security specialists.
They were already busy, thanks to expanding federal Health Insurance Portability and Accountability Act (HIPAA) data management audit programs.
Now, the data security specialists’ appointment calendars are booked solid.
Beazley, a consulting firm, is putting Katherine Keefe, the head of its breach response team, in the spotlight. Beazley alone has handled about 1,300 health care breaches since 2009, and it says it doubled the size of its breach protection program between 2013 and 2014.
2. Benefit plan administrators and other vendors that take charge of protected health information storage.
Doctors and hospitals have no choice about whether to collect, use and hold HIPAA protected health information (PHI). Insurers may have no choice about whether to at least hold and process some kind of encrypted, code-identified information at some points.
Other players in the U.S. health care system, such as insurance agents and brokers plan administrators, and employers that run their own health-related benefit plans, may be able to insulate themselves from PHI risk by hiring some other entity to accept the risks involved with collecting and holding PHI. A number of firms offer “hands-off HIPAA-compliant” data services.
Some of the most visible companies in the hands-off HIPAA-compliant data market include IBM, Cisco, OnRamp and IVR Technology.
3. President Obama
His people released a cybersecurity legislative proposal in January. One section calls for Congress to standardize and simplify consumer breach notification rules.
At this point, 46 states, the District of Columbia, and several territories have their own breach notification rules, officials said.
The new hack attack could be helpful for Obama’s proposal.
4. Adam Hamm
Adam Hamm, the North Dakota insurance commissioner, is now the immediate past president of the National Association of Insurance Commissioners (NAIC).
He may have felt a little sad and lower profile when he took a new post at the NAIC, as chair of the NAIC’s new Cybersecurity Task Force.
Now the new task force may have a higher profile that some might have expected.
5. Critics of the Patient Protection and Affordable Care Act (PPACA) exchange system, and of wellness programs.
Republicans have repeatedly questioned whether the Patient Protection and Affordable Care Act (PPACA) public exchange system can keep its data in its computers.
The recent breaches at WellPoint and Sony could give those critics real-world hacking impact data they can use to support their arguments.