You read that headline correctly: between 8.8 and 18.8 million people are at risk as a result of the massive data breach that hit health insurer Anthem Inc. – despite having no relationship with the company.
When Anthem announced early February that hackers had accessed its servers and stolen personal information – including names, birth dates, phone numbers, addresses, email addresses, Social Security numbers, and employment information – it was estimated that about 78.8 million customers – including some 13.5 million Californians, 27,000 North Dakotans, 775,000 North Carolinians, 3.77 million Virginians, and 11,000 New Mexicans – were affected. Now, it transpires that the hackers got even luckier, and that 8.8 to 18.8 people who aren’t Anthem customers could also be affected.
Anthem Inc. is part of a nationwide network of Blue Cross Blue Shield health care providers. It operates Blue Cross Blue Shield health care plans in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, Ohio, and Wisconsin, as well as in parts of New York and Virginia.
Holders of Blue Cross Blue Shield plans in other states where Anthem doesn’t have a presence could also be affected, however, because the breached Anthem database contained the personal information of partner Blue Cross Blue Shield companies’ customers as well.
So, if you’ve got health insurance with Blue Cross Blue Shield, you could be at risk of identity theft as a result of the Anthem breach.
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per violated record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.