HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Lessons from the Anthem breach

February 6, 2015

Into the Breach

Anthem experienced a major data breach last week, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

The social security number is the only universal unique identifier we have at our disposal in this country. It's easy to ask for, and to use, but … it's not supposed to be used for anything other than administration of Social Security benefits. Until not all that long ago, states used SSNs as driver's license numbers. No longer (at least around these parts). Most of us get asked for the last 4 (or 5 or 6) digits of our SSNs constantly for all kinds of reasons. How many of us refuse every time?

Way back in 1998, as folks were trying to figure out how to implement HIPAA, the question arose: Gee, why don't we establish a unique patient identifier system so that we can be assured that each electronic health record is properly tied to the right individual? (Check out this vintage HHS white paper on the Unique Health Identifier, published as prologue to a rulemaking process that never went anywhere.)  Eventually, that approach was taken for providers (UPIN, then NPI), but not for patients. In fact, every year since then, Congress has included a special line in the HHS budget that says Thou Shalt Not establish a unique patient identifier system.

This approach has spawned a sub-industry that scrubs data sets to ensure that an individual patient doesn't have duplicate records, each including only a part of the whole, by triangulating from all the data points used to perpetrate identity theft: SSN, DOB, name, address, etc. All those data points are needed in order to make sure that we're talking about the right Mr. Jones. If the only identifier attached to the health data were the patient ID number, then health records would suddenly become much less valuable to identity thieves — and it would be easier to determine which record belongs to whom.

Using patient ID numbers (which could be encrypted and thus protected — because, after all, who wants to get a new patient ID number? Getting a new credit card number after some system or other gets hacked is bad enough, and remember, you can't get a new SSN just because your health records have been hacked) would be one element of a data minimization approach designed to lessen the likelihood of damage resulting from a breach. Couple that with the auditing capabilities that allowed Anthem to notice its breach in short order (vs. some breaches which were exploited over the course of years before anybody noticed), and we'd be looking at some real improvements to health data security.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Filed Under: Ehealth, EHR, Health care policy, Health Information Exchange, Health Law, HHS, HIPAA, HIT, Privacy, Security

you might also like:

  1. Data Breach Analysis 2009-2012 – HITECH Experience Reviewed by HITRUST

  2. Son of HIPAA Breach Notification Rules

  3. The Virginia prescription record security breach: The big picture, and using this case as a learning experience

« ONC, Interoperability, and the 2/6/2015 #HITsm Tweetchat
HIPAA Audits: The Latest Oracular Prognostications »

Follow me on Twitter

David Harlow 💉😷 Follow 43,510 17,460

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
16h 1665219373223616513

ICYMI> Stephen Williams, CMO of SomaLogic, on the Promise of Proteomics — Harlow on Healthcare https://healthblawg.com/2023/01/stephen-williams-somalogic-proteomics.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #HITsm

Image for the Tweet beginning: ICYMI>  Stephen Williams, CMO Twitter feed image.
Reply on Twitter 1665219373223616513 Retweet on Twitter 1665219373223616513 0 Like on Twitter 1665219373223616513 0 Twitter 1665219373223616513
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
23h 1665113709855776769

ICYMI> From EEGs to actionable clinical endpoints with Jacob Donoghue, MD PhD, CEO of Beacon Biosignals — Harlow on Healthcare https://healthblawg.com/2022/07/jacob-donoghue-beacon-biosignals.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #HITsm

Image for the Tweet beginning: ICYMI>  From EEGs to Twitter feed image.
Reply on Twitter 1665113709855776769 Retweet on Twitter 1665113709855776769 0 Like on Twitter 1665113709855776769 0 Twitter 1665113709855776769
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3 Jun 1665007971783376898

ICYMI> Lissy Hu, President of Connected Networks at WellSky — Harlow on Healthcare https://healthblawg.com/2023/01/lissy-hu-wellsky.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #HITsm

Image for the Tweet beginning: ICYMI>  Lissy Hu, President Twitter feed image.
Reply on Twitter 1665007971783376898 Retweet on Twitter 1665007971783376898 0 Like on Twitter 1665007971783376898 0 Twitter 1665007971783376898
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]