Anthem data breach – who was most affected?

It may seem like old news to some, but the Anthem data breach that was revealed February this year is now known to have affected over 80 million people throughout the US. This includes current or former members of Anthem’s affiliated health plans, and members of other independent Blue Cross and Blue Shield plans.

The story continues to garner widespread media coverage, including recent revelations that the stolen data was not encrypted and that Anthem refused to allow an audit of its systems by the Office of Personnel Management’s Office of the Inspector General (OIG), although it insists it is cooperating with the FBI.

It is unknown how hackers accessed the data, but patients are filing class action suits against the insurer left, right, and center.  At least two individuals have filed separate $5 million lawsuits over the Anthem data breach in the past month.

Whose data was affected?

Below is a heat map showing where individuals were affected in the US, according to local news sources. This data takes into account Anthem customers as well as Blue Cross and Blue Shield plans, which were also likely to be affected.

Anthem data breach heat map

As you can see from the map, California, Indiana, Georgia, Missouri, and Connecticut were most affected, whereas North Dakota and New Mexico were least affected by the breach.

Unlike the hackers, we don’t have enough information on victims from the states in gray to say how many (if any) people were affected.

Those living in states where Anthem, Blue Cross, or Blue Shield do not operate may have been subject to the breach if they received health care treatment in a state that does use those insurers.

HIPAA breach

While it is clear this is a breach of the Health Insurance Portability and Accountability Act (HIPAA), Anthem’s focus is on stopping the leaks and preventing a recurrence. Ultimately, however, they could face harsh fines under the Act, and certain individuals could even face fines of up to $250,000 and ten years’ imprisonment.

Organizations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS, and the GLBA) often seek registration to ISO 27001, because the international Standard can centralize and simplify disjointed compliance efforts. ISO 27001 presents a comprehensive and international approach to implementing and maintaining an information security management system (ISMS), and it is often the case that companies will achieve compliance with a host of related legislative frameworks simply by achieving ISO 27001 registration.

The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing, and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.

For fixed-price solutions to achieving registration to the Standard, see our ISO 27001 Packaged Solutions. They provide everything you need to implement ISO 27001 while reducing the usual associated complexities and costs.

ISO 27001 Packaged Solutions