HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Lessons from the Anthem breach

February 6, 2015

Into the Breach

Anthem experienced a major data breach last week, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

The social security number is the only universal unique identifier we have at our disposal in this country. It's easy to ask for, and to use, but … it's not supposed to be used for anything other than administration of Social Security benefits. Until not all that long ago, states used SSNs as driver's license numbers. No longer (at least around these parts). Most of us get asked for the last 4 (or 5 or 6) digits of our SSNs constantly for all kinds of reasons. How many of us refuse every time?

Way back in 1998, as folks were trying to figure out how to implement HIPAA, the question arose: Gee, why don't we establish a unique patient identifier system so that we can be assured that each electronic health record is properly tied to the right individual? (Check out this vintage HHS white paper on the Unique Health Identifier, published as prologue to a rulemaking process that never went anywhere.)  Eventually, that approach was taken for providers (UPIN, then NPI), but not for patients. In fact, every year since then, Congress has included a special line in the HHS budget that says Thou Shalt Not establish a unique patient identifier system.

This approach has spawned a sub-industry that scrubs data sets to ensure that an individual patient doesn't have duplicate records, each including only a part of the whole, by triangulating from all the data points used to perpetrate identity theft: SSN, DOB, name, address, etc. All those data points are needed in order to make sure that we're talking about the right Mr. Jones. If the only identifier attached to the health data were the patient ID number, then health records would suddenly become much less valuable to identity thieves — and it would be easier to determine which record belongs to whom.

Using patient ID numbers (which could be encrypted and thus protected — because, after all, who wants to get a new patient ID number? Getting a new credit card number after some system or other gets hacked is bad enough, and remember, you can't get a new SSN just because your health records have been hacked) would be one element of a data minimization approach designed to lessen the likelihood of damage resulting from a breach. Couple that with the auditing capabilities that allowed Anthem to notice its breach in short order (vs. some breaches which were exploited over the course of years before anybody noticed), and we'd be looking at some real improvements to health data security.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Filed Under: Ehealth, EHR, Health care policy, Health Information Exchange, Health Law, HHS, HIPAA, HIT, Privacy, Security

you might also like:

  1. Data Breach Analysis 2009-2012 – HITECH Experience Reviewed by HITRUST

  2. Son of HIPAA Breach Notification Rules

  3. The Virginia prescription record security breach: The big picture, and using this case as a learning experience

« ONC, Interoperability, and the 2/6/2015 #HITsm Tweetchat
HIPAA Audits: The Latest Oracular Prognostications »

Follow me on Twitter

David Harlow 💉😷 Follow 42,908 17,568

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1620445622955278337

Moonshots — StartUp Health https://paper.li/healthblawg/1369855999?read=https%3A%2F%2Fwww.startuphealth.com%2Fmoonshots #hcldr

Reply on Twitter 1620445622955278337 Retweet on Twitter 1620445622955278337 0 Like on Twitter 1620445622955278337 0 Twitter 1620445622955278337
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1620445621772587008

Harlow on Health Care is out! #healthcare #hcldr #hcsm #HIT #healthreform #HIPAA

Image for twitter card

Moonshots — StartUp Health

startuphealth.com At StartUp Health, we invest in the most innovative health entrepreneurs in the world — our glob...

paper.li

Reply on Twitter 1620445621772587008 Retweet on Twitter 1620445621772587008 0 Like on Twitter 1620445621772587008 0 Twitter 1620445621772587008
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1620439418514333698

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @biomelb @SCMagazine @r2guidance #digitalhealth #healthcare

Image for twitter card

Why enterprises trust hardware-based security over quantum computing

venturebeat.com Quantum computing is being realized, but its limitations in cybersecurity are prompting organizations to ...

paper.li

Reply on Twitter 1620439418514333698 Retweet on Twitter 1620439418514333698 0 Like on Twitter 1620439418514333698 0 Twitter 1620439418514333698
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]