The big data breach at Anthem Inc. (NYSE:ANTM) was bad for Anthem, and any other players in the U.S. health care system that would prefer to spend money on providing and improving care for patients, rather than on beefing up data security.
The attack affected an unencrypted database that may have held up to 80 million past and present customer records. The attack does not seem to have involved the theft of credit card data, medical records or insurance claim information, but it apparently did expose names, birth dates, Social Security numbers, e-mail addresses and employee income data.
Katie Benner, a columnist at Bloomberg, is reporting speculation that hackers affiliated with the Chinese government could be responsible, and that the hackers’ goal may have been to get into the records of workers’ at defense contractors.
Clearly, the attack could be wonderful for the hackers and their sponsors, and lucrative for the lawyers of the people with records affected by the data theft.
Who else could get lemonade out of the hacking lemons?
For a few ideas, read on.
1. Health data security specialists.
They were already busy, thanks to expanding federal Health Insurance Portability and Accountability Act (HIPAA) data management audit programs.
Now, the data security specialists’ appointment calendars are booked solid.
Beazley, a consulting firm, is putting Katherine Keefe, the head of its breach response team, in the spotlight. Beazley alone has handled about 1,300 health care breaches since 2009, and it says it doubled the size of its breach protection program between 2013 and 2014.
2. Benefit plan administrators and other vendors that take charge of protected health information storage.
Doctors and hospitals have no choice about whether to collect, use and hold HIPAA protected health information (PHI). Insurers may have no choice about whether to at least hold and process some kind of encrypted, code-identified information at some points.
Other players in the U.S. health care system, such as insurance agents and brokers plan administrators, and employers that run their own health-related benefit plans, may be able to insulate themselves from PHI risk by hiring some other entity to accept the risks involved with collecting and holding PHI. A number of firms offer “hands-off HIPAA-compliant” data services.
Some of the most visible companies in the hands-off HIPAA-compliant data market include IBM, Cisco, OnRamp and IVR Technology.