Dive Brief:
- CareFirst BlueCross BlueShield, a nonprofit insurer that serves Maryland, northern Virginia and D.C., announced Wednesday that it has been the target of a cyberattack that exposed 1.1 million members.
- Attackers breached a single database on June 19, 2014, where they were able to gain access to members' names, birth dates, email addresses and subscriber identification numbers. The company says that hackers did not gain access to social security numbers, medical claims, employment, credit card or other financial information.
- CareFirst has engaged the services of security firm Mandiant (also hired by Anthem in the wake of its breach) to help manage the attack and assess its IT systems.
Dive Insight:
According to CEO Chet Burrell, the data the hackers acquired is basically useless because the corresponding passwords for each username were housed in a separate, unaffected database. It's worth taking that with a grain of salt, however, since Burrell also said the attack went completely undetected by the company, and that only "traces" remain. More details may emerge after Madinant has conducted its assessment.
"Sophisticated" also remains the word du jour for execs describing healthcare hackers:
"We have constant monitoring going on, every second of every day, but the nature of this attack was sophisticated enough that we couldn't detect it," Burrell said.
Some security experts have begun to question why healthcare companies hold on to data for so long, potentially increasing the risk of theft. "These breaches we're seeing wouldn't be near as large as they are if they weren't holding on to so much data," Mac McMillan, an IT healthcare security expert and founder of security consultancy CynergisTek, told Modern Healthcare. "One of the overarching questions that needs to be asked is why are companies able to hold on to so much information on people they're no longer serving?"
HIPAA requires covered entities to retain documentation required by law "for six years from the date of its creation or the date when it last was in effect, whichever is later." In general, companies hold onto that data because it may have future value—for example, as documentation in the event of litigation.
Still, the risk may outweigh the benefit of keeping old data, Mark Shelhart, senior manager for incident response and forensics at Sikich, told MH. "Our answer, almost always, is get rid of it as fast as you possibly can," he says, noting that data older than five years should be housed on a system that is not connected to the internet, and therefore can't be accessed from outside of the company.