Experts say that Anthem’s lack of encryption doesn’t matter. Find out why they might be wrong in our legal analysis.
The recent successful hack on Anthem is but the latest high-profile data breach in a string of data breaches, and it was a hefty one, compromising dozens of millions of customers’ records containing personally identifiable information and other sensitive data. Anthem’s employee records, too, were compromised. Unlike most other superbreaches of the past couple of years, however, Anthem isn’t a retailer. It’s a health insurance company, and that fact has significant ramifications for both the organization and the victims.
According to a 2013 report by Dell SecureWorks, health insurance credentials are worth 10 to 20 times more than simple credit card numbers. That fact, combined with the industry’s embarrassing reputation for lax data security, has made healthcare organizations high-demand targets for hackers and identity thieves these past couple of years.
The Anthem attack was unique for several reasons. It appears to have been perpetrated by hackers sponsored by the Chinese government, most likely a group known as Deep Panda. And the compromised data were unencrypted, a fact that raises legal questions.
Some experts say that the lack of encryption in this case does not matter. Healthcare data journalist Fred Trotter, for instance, reports that “[e]ncryption probably would not have helped,” speculating that the level of access the hackers obtained would have rendered any level of encryption a moot point. Trotter goes on to suggest that encryption would have hindered legitimate accessibility of the data within Anthem’s organization itself in ways that would have made HIPAA compliance more difficult.
While Trotter’s other points are well taken, the issue of HIPAA compliance is one worth examining. To get a better idea of where Anthem might stand in relation to HIPAA, a cursory look at the timeline is in order.
WellPoint and Anthem: A History of Cybersecurity Stumbles
Anthem was not always Anthem. Until very recently, the company went by the name WellPoint, only changing its name to Anthem on December 3, 2014.
On October 23, 2009, a botched upgrade to WellPoint’s systems followed by a further botched security review left the identity and health record data of more than 612,000 policy applicants publicly exposed on the Web for all to see until March 7, 2010. The data leak was discovered and reported by attorneys gathering information for a legal action against the insurance company.
Of course, several lawsuits related to WellPoint’s data breach followed. Both state and federal government enforcers opened legal fire as well, negotiating and obtaining significant settlements. In particular, WellPoint had to (inter alia) fork over $1.7 million to the Department of Health and Human Services (“DHHS”) and $100,000 to the Consumer Assistance Fund of its home state of Indiana.
Fast forward to April 8, 2014. The FBI distributed an alert to healthcare companies, advising that the healthcare industry’s cybersecurity practices lagged far behind other sectors, such as retail and financial services. The FBI’s mention of the retail sector was especially notable, considering the fact that the advisory followed major hacks against large retailers such as Target, Neiman Marcus, and Michaels.
“[T]herefore the possibility of increased intrusions is likely,” read the notice.
Less than four and a half months later, the FBI distributed another alert to healthcare companies, this time to warn them that they were being actively targeted by hackers and that their customers’ Protected Healthcare Information (PHI) and Personally Identifiable Information (PII) were at risk. The impetus for the alert was the then-recent Heartbleed-related data breach that another healthcare organization, Community Health Services, had suffered.
Anthem may have already become a target by the time the FBI issued its warnings. An Anthem memo indicates suspicious query activity on its network going back to December 10. Other evidence, discovered by security firms such as ThreatConnect, CrowdStrike, and Symantec, suggests the beginnings of the attack originated even earlier, perhaps just a few weeks after the FBI’s April advisory. An apparent WellPoint spoof domain originating in China, “we11point[dot]com,” replete with subdomains mimicking actual WellPoint.com subdomains such as “myhr[dot]we11point[dot]com” and “hrsolutions[dot]we11point[dot]com,” was registered in April 2014 and clearly designed to mimic WellPoint’s actual infrastructure. Malware reportedly linked to the Deep Panda references the spoof domain, as well as an email address owned by Song Yubo, an information security professor in Nanjing whose research center receives funding from the Chinese government to work on cyberwarfare applications.
“It’s…incredible that so many companies could see the outlines of a threat against such a huge target, and that it took until just this past week for the target to become aware of it,” observed cybercrime journalist Brian Krebs in a February 9 blog post, reporting on this evidence. “For its part, ThreatConnect tweeted about its findings back in November 2014, and shared the information out to its user base.”
Was Anthem HIPAA-Compliant?
HIPAA does not strictly require encryption in all cases, but healthcare organizations are obligated to at least “address” the issue of encryption. They may reasonably opt to employ other security measures in lieu of encryption if, among other factors, the risk of unauthorized data disclosure is low.
According to privacy attorney Adam Greene, a history of multiple breaches demonstrates that this disclosure risk is not low. Anthem’s data breach from five years ago, the FBI’s 2014 alerts of heightened cyber risk to healthcare companies, and the threat intelligence and other relevant information around Anthem all combine to demonstrate that the risk was not insignificant. Hence, a DHHS action against Anthem – while perhaps escapable – remains possible.
Anthem has more than DHHS to worry about, too. On top of dealing with myriad investigations from states’ Attorneys General, Anthem faces multiple lawsuits over its data breach, lawsuits that level accusations such as negligence, breach of contract, and violations of various applicable state laws.
It’s worth mentioning here that negligence plaintiffs have successfully used HIPAA standards as evidence of the level of care owed to a plaintiff. This is, however, a two-way street. If Anthem can establish that it didn’t violate the standards of care owed under HIPAA, it may yet escape liability to its data breach victims.
Still, considering Anthem’s recent history, that’s a big “if.”