CareFirst data hoard­ing widened breach’s im­pact

Modern Healthcare - - NEWS - By Adam Ruben­fire

The newly an­nounced cy­ber­at­tack against CareFirst Blue Cross and Blue Shield and the mas­sive ear­lier hacks at Pre­mera Blue Cross and An­them would have had a nar­rower im­pact if the health in­sur­ers hadn’t re­tained cus­tomer data for so long, ex­perts say.

CareFirst, which cov­ers about 3.4 mil­lion peo­ple in Mary­land, the Dis­trict of Columbia and Vir­ginia, said last week that it was the vic­tim of a cy­ber­at­tack that af­fected 1.1 mil­lion cur­rent and for­mer mem­bers who have used the com­pany’s on­line tools. The in­surer’s in­for­ma­tion tech­nol­ogy staff be­lieved they had con­tained a data hack last June.

CareFirst’s ac­knowl­edge­ment that it had a breach to con­tain last year sug­gests the in­surer prob­a­bly should have con­tacted an out­side cy­ber­se­cu­rity firm at that time, said Ken Dort, a cy­ber­se­cu­rity ex­pert and part­ner in Drinker Bid- dle & Reath’s In­tel­lec­tual Prop­erty Prac­tice Group. CareFirst later brought in se­cu­rity con­sul­tant Man­di­ant.

Med­i­cal and fi­nan­cial in­for­ma­tion was not stored in the data­base that was hit, but it did in­clude names, birth­dates, e-mail ad­dresses and sub­scriber iden­ti­fi­ca­tion num­bers, all of which is fed­er­ally pro­tected health in­for­ma­tion.

Ex­perts are scratch­ing their heads over why the in­sur­ers kept data longer than nec­es­sary. “Th­ese breaches wouldn’t be near as large if they weren’t hold­ing on to so much data,” said Mac McMillan, founder of Cyn­er­gisTek, an Austin, Texas-based se­cu­rity con­sul­tancy. “Why are com­pa­nies able to hold on to so much in­for­ma­tion on peo­ple they’re no longer serv­ing?”

It’s up to the states to de­ter­mine how long med­i­cal records must be kept, but fed­eral law re­quires that cov­ered en­ti­ties re­tain legally man­dated doc­u­men­ta­tion for six years “from the date of its cre­ation or the date when it last was in ef­fect, whichever is later.”

Com­pa­nies hold cus­tomer data think­ing it might have fu­ture value in lit­i­ga­tion or as an ex­pla­na­tion of pre­ex­ist­ing med­i­cal con­di­tions, said Mark Shel­hart, a se­nior manager at Si­kich, a pro­fes­sional ser­vices firm. But more of­ten than not, the costs as­so­ci­ated with a breach are much higher than the cost of not re­tain­ing the in­for­ma­tion. “Our an­swer, al­most al­ways, is get rid of it as fast as you pos­si­bly can,” he said. He sug­gested keep­ing in­for­ma­tion that is more than five years old on a sys­tem not con­nected to the In­ter­net.

Kather­ine Keefe, global head of Bri­tish in­surer Bea­z­ley’s breach re­sponse ser­vices, said her com­pany has as­sisted clients with breaches in which the im­pact could have been sig­nif­i­cantly smaller if the or­ga­ni­za­tion or a ven­dor had not kept older in­for­ma­tion. “They need to look at doc­u­ment re­ten­tion and de­struc­tion poli­cies and that of their ven­dors,” she said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.