As you’ve certainly heard by now, as many as 80 million customers of the country’s second-biggest health insurer have been affected by a massive data breach. Names, birthdays, addresses, employment information and Social Security numbers were exposed, but it appears the attackers left patient medical histories untouched.
I want to correct some misinformation that’s floating around. A few articles (on very reputable news sites) have claimed “the breach does not come under any HIPAA rules” because there was “no actual medical information” stolen. That is incorrect. In fact, a great deal of the information stolen is indeed considered Protected Health Information (PHI) as defined by the HIPAA Privacy and Security Rules, so this is absolutely a breach of PHI and HIPAA violation. On their blog, Milton Security outlines section 117 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which backs up this assertion.
WHAT IS PHI?
HIPAA.com explains that in addition to what we traditionally think of as “medical information,” PHI includes:
- All geographic subdivisions smaller than a state (including street address, city, county, precinct, and zip code)
- Telephone numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
This isn’t an exhaustive list, but it gives you an idea of how just how much information falls under PHI and is subject to HIPAA regulations when it is maintained by a healthcare Covered Entity in order to conduct healthcare Treatment, Payment or Operations. In other words, if a healthcare organization has your information so it can provide treatment, pay for your medical care, or operate a medical system, that information is PHI and must be protected in accordance with the requirements of HIPAA.
WHY THIS MATTERS
At this point, most security leaders have come to terms with the fact that you can’t protect every scrap of information within your organization. It’s simply not possible. You can, however, focus efforts on your high-priority business assets. Critical assets put the organization at risk. For example, the breach of credit card data and customer data at Target has cost over $236 million (and counting). That does not include the several billion dollars worth of liability in the four lawsuits brought against Target by customers and banks that have been impacted. In the case of Anthem, it’s any and every device storing PHI data.
Of course, the first step to protecting these critical assets is to identify them. While some information would be inconsequential in the hands of an adversary, the breach of others could get you slapped with a massive fine and even put your customers at risk. This is why it’s important to understand which data and assets really matter to your organization and to apply security resources appropriately.
For more on avoiding HIPAA violation penalties and protecting your critical assets, check out our white paper: Attack Intelligence, They Key to Reducing Risk in Healthcare.
Eric Cowperthwaite is the VP of Advanced Security and Strategy at Core Security. Before joining the Core Security team, Eric was the CISO of Providence Health & Services, an organization with $12.5 billion in revenue, 32 hospitals and 65,000+ employees.