Anthem Data Breach: How Safe Is Health Information Under HIPAA?

This report discusses the implications of the recent data breach at Anthem Inc., which raised new concerns about the vulnerability of electronic health information. Security experts question whether the Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards are sufficiently protective of sensitive patient information.

CRS Insights Anthem Data Breach: How Safe Is Health Information Under HIPAA? C. Stephen Redhead, Specialist in Health Policy (credhead@crs.loc.gov, 7-2261) February 24, 2015 (IN10235) The recent data breach at Anthem Inc.—the nation's second-largest health insurer, with more than 37 million enrollees in its health plans—raises new concerns about the vulnerability of electronic health information. Security experts question whether the Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards are sufficiently protective of sensitive patient information. On February 4, Anthem announced that it had been the subject of a "very sophisticated external cyberattack." After several prior attempts, the hackers succeeded in accessing a company database containing as many as 80 million records of current and former Anthem customers as well as employees. A company website indicates that the hackers accessed names, dates of birth, member IDs and Social Security numbers, home and email addresses, and employment information. They do not appear to have gained access to any credit card or medical information. Even though the compromised data may not include any clinical information, it is still protected under HIPAA because it relates to the payment of health care. According to Anthem, the hackers obtained the security credentials of one or more computer system administrators. They used those credentials to log into the company system and access the data, which was not encrypted. Encryption is commonly used to protect data transmitted from one location to another, but encrypting data at rest (i.e., stored in place and not being transmitted) is controversial. Encryption can add cost and make day-to-day management and use of the data more burdensome. Some security experts argue that encryption, by itself, would not have thwarted the Anthem breach because the hackers were able to access the credentials of someone inside the company. They note that an attacker with sufficiently elevated security credentials (including access to the encryption and de-encryption keys) would be able to access encrypted data. While encryption helps protect sensitive information, the Anthem breach shows the importance of having other safeguards in place, including strong data access controls. The Anthem breach has led to renewed criticism of the HIPAA security standards, which are intended to protect electronic information—both at rest and during transmission—from unauthorized access, use, or disclosure. The standards are technology-neutral and scalable, based on the size and complexity of the organization. They include security management, data access controls, and data transmission security. Payers and providers of health care have considerable discretion in how they implement the HIPAA security standards. Each standard is accompanied by one or more implementation specifications. Some implementation specifications are required; for example, to meet the security management standard, each organization must conduct an accurate and thorough data risk assessment. Other implementation specifications are "addressable." Organizations must assess each addressable specification to determine if it is "a reasonable and appropriate safeguard in its environment" before deciding whether to adopt it. Encryption is one of the addressable measures. Entities that choose not to use encryption must document the reasons and implement an "equivalent alternative measure if reasonable and appropriate." The Anthem breach calls into question whether health care payers and providers should be permitted such latitude in implementing the HIPAA security standards versus a more prescriptive, mandatory approach. Since 2009, HIPAA-covered entities—payers and providers of health care and their business associates —must notify all individuals affected by a breach of unsecured (i.e., unencrypted) health data. The law created an exemption for entities that secure their data through encryption in an effort to encourage the practice. Any breach affecting 500 or more individuals must be reported to the Secretary of Health and Human Services (HHS) within 60 days of its discovery. Entities can maintain a log of smaller breaches and submit the log to HHS annually. The HHS Office for Civil Rights, which administers and enforces the HIPAA privacy and security standards, is waiting for Anthem's breach report before beginning an investigation. In the meantime, the FBI has launched its own investigation. OCR is required to maintain a website listing all the major breaches affecting 500 or more individuals. A total of 1,141 breaches are listed affecting more than 41 million individuals (see Figure 1), making the Anthem breach potentially twice as large as all previous reported incidents. Figure 1. Number of Persons Affected by Health Information Breaches Source: CRS analysis of HHS Office for Civil Rights data (accessed February 17, 2015), https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Digital security experts predict that data breaches in the health care sector are likely to get larger and become more frequent. They think hackers may be turning toward the health sector as retail companies improve their security after recent breaches at Target and Home Depot involving tens of millions of customers. Also, medical information fetches higher prices than credit card numbers, which can quickly be deactivated. Medical identity theft is on the increase. It occurs when someone uses an individual's name and personal identity to receive medical services and prescription drugs fraudulently, including attempts to submit fraudulent insurance claims. This trend is happening at a time when the federal government is spending billions of dollars to promote electronic health records and the exchange of digital health information. A new report finds that almost 500,000 people in 2014 were victims of medical identity theft, up 22% from the previous year. Unlike credit card fraud, victims of medical identity theft often pay significant amounts—an average of $13,500 in 2014—to resolve the crime. They may end up paying health care providers or insurers for services obtained deceitfully by others. Some experts question whether the incentives are sufficiently strong for health insurers to improve digital security. A highly publicized data breach at a large retailer can have an immediate financial impact as customers take their business elsewhere. But health insurers may not be subject to the same level of risk. Most individuals receive health insurance through their employers who have long-term contracts with insurers that may be difficult to break unless there is clear evidence of wrong-doing by the insurer. Moreover, it is not the employers but the employees who generally are affected by breaches. Adam Salazar, Research Assistant, provided assistance with this Insight and prepared Figure 1.