Healthcare Law Blog

Lessons Learned from Recent Data Security Breaches, Part One

The recent series of security breaches at Target, Sony, Home Depot, and Anthem Inc. serve as stark reminders that all organizations, even the ones with most secure networks, face significant cybersecurity threats and challenges that could cause substantial financial costs and reputational damage. The Anthem security breach, in particular, should sound alarms about the need to improve the security of protected health information (“PHI”) for every covered entity. This week’s posts will discuss what health care providers can learn about preventing data breaches based on the breaches at Anthem and Target.

On February 4, 2015, the second largest healthcare insurance company in the U.S., Anthem Inc., reported a data security breach affecting 78.8 million customers. In January, hackers sent phishing emails to employees that allowed the hackers to steal at least five employees’ network credentials, usernames, and passwords. These hackers even obtained the information belonging to the system administrator account. The system administrator did not notice the breach until someone used his access codes and information and was inside the system. Although the final report on the Anthem data breach has not yet been issued, the fact that the hackers obtained five sets of access keys or credentials (log in and passwords) from authorized users indicates how dangerous an innocent mistake, such as opening a phishing email, can be to an entire data system.

During the 2013 holiday shopping season, Target suffered a substantial security breach of its credit and debit card system that impacted 70 million customers. In Target’s case, the hackers obtained access to customer information through hacking Fazio Mechanical, a refrigeration contractor of Target. Similar to the Anthem hacking scheme, an employee of Fazio Mechanical opened a malicious phishing email that installed a piece of malware, which recorded login credentials and gave the hackers access to a portal into Target’s internal systems. The hackers used the portal access to gain control of Target’s servers. Thus, the hackers gained access to Target’s system by hacking into the system of an outside contractor and using that contractor’s access information to get into Target’s system. The Target breach indicates that covered entities must closely monitor the security breaches of their contractors, because those outside security breaches can give hackers an indirect access point into the covered entity’s system.

Both the Anthem and Target security breaches were caused by simple human mistakes - opening the wrong email attachment, visiting the wrong web page, and/or opening a malicious email. Despite Anthem’s security protocols and safeguards, its employees failed to recognize suspicious phishing emails and unwittingly gave hackers their access information. In Target’s case, the contractor’s employees failed to recognize suspicious phishing emails and unwittingly gave hackers their access information and that information was used to gain access into Target’s system. These simple human mistakes led to the dissemination of confidential data for millions of insured members and customers.

Tune in Thursday, as the next post will discuss will discuss these data breaches in the context of the HIPAA/HITECH rules.

Services may be performed by others.

This article does not constitute legal advice.