For the second time in as many months, a major healthcare insurer has become the target of cyberthieves.
This week, Premera Blue Cross announced it had been the target of hackers who gained access to the financial and medical information of 11 million members. In February, Anthem, Inc., announced that personal information of around 80 million customers and employees had been compromised.
This isn’t the first time, and it certainly won’t be the last time that healthcare organizations fall victim to of data breaches. A report published in February by the SANS Institute found that between September 2012 and October 2013, 375 U.S. healthcare organizations have been compromised.
That is why it is important now, more than ever before, for healthcare organizations to ensure that they implement adequate security controls so that they don’t find themselves in violation of the HIPAA Security Rule or the HITECH Act.
The HIPAA rule was promulgated in 1996 and requires the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. Before HIPAA, there was no generally accepted set of security standards or general requirements to protect healthcare information.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Although health data encryption is not a HIPAA requirement, many in and outside of the healthcare industry are beginning to suggest it should be standard practice. The U.S. Senate Health, Education, Labor and Pensions committee said last month it would consider data encryption requirements as part of a bipartisan review of health information security.
The Office for Civil Rights, which is a unit of the federal Health and Human Services Department, has previously said that the personal data stolen by the Anthem hackers was covered by HIPAA, even if it didn’t include medical information.
Penalties for violations can be high. HIPAA fines can start at $100 and go as high as $50,000, capping at $1.5 million, depending on the scope of the data breach.
As cyberthieves become more sophisticated, the problem will only get worse. It is imperative that those in the healthcare industry who are entrusted with the personal information of others understand the emerging threats created by cyberthieves. And they must begin to develop or improve data privacy practices, as well as create response plans designed to minimize the risk of a data breach.
The Health Law Offices of Anthony C. Vitale assists clients with HIPAA compliance issues. Give us a call to discuss your individual needs.