Guest Author Brian Clement: Anthem Blue Cross data breach is a wake-up call for healthcare organizations

Security concept: Lock on digital screen

Anthem, which happens to be the second largest health insurance company in the United States, suffered a monumental data breach that must not be ignored. 80 million records (people) have been left exposed and vulnerable to identity theft. 80 million people!

Let’s put this into perspective:

  • Population of Michigan, Ohio, Indiana, Illinois, Wisconsin, Pennsylvania and New York: ~79.3 million
  • Population of California: ~38.8 million
  • Population of Texas: ~26.9 million

Unprecedented isn’t it?

Each of those 80 million people must be personally notified about the breach. At a low end cost estimate of $0.50 per each mandatory notice, the printing and mailing cost alone exceeds $40 million dollars. This doesn’t include credit monitoring expenses, fines, penalties or legal expenses. Yikes.

Media outlets are running with the story, pointing fingers, seeking blame, accusing foreign countries  (remember SONY pictures… was North Korea, no wait Russia, no wait North Korea). The bottom line –  don’t get caught up in the propaganda, but rather use it as an alarm clock to build a risk management plan for your data security.

The Patient Protection and Affordable Care Act (PPACA) brought with it the mandate of utilizing electronic medical records. The PPACA also strengthened language contained within the Health Insurance Portability and Accountability Act (HIPAA). When the electronic medical record mandate started up in 2014 the FBI issued a warning that healthcare organizations would see an increase in cyber intrusions. Well, guess what, it’s happening.

So what do you do? How does one begin to implement a data security risk management plan?

Think about these topics:

  1. The human firewall – Do you or your employees leave laptop computers, tablets, smart phones or USB flash drives exposed in your car or office where they can easily be stolen? If yes, why?
  2. Do you store files in ‘the cloud’? If yes, what kind of cloud is it? Who owns the data? Who is responsible for investigating a data breach? Don’t assume the liability rests with the cloud provider. Chances are as evidenced in the contract it doesn’t.
  3. Do you accept credit cards as a method of payment? If the point-of-purchase machine suffers a malicious attack and credit card data is stolen, who responds to the data breach? Chances are it’s your responsibility and not the merchant processor who sold/leased the equipment.
  4. Rogue employees – sadly, employees steal and sell data. Not only does it happen at large organizations such as Blue Cross Blue Shield of Michigan but also happens at small practices . Yes, it’s frightening.
  5. How much have you invested in encryption and protecting your Wi-Fi?
  6. Do you know how much it costs, as required by state law, to investigate and respond to a violation and data breach?

Your approach to solving the data violation/breach problem is two fold. The first part is being proactive. Build an information security risk management plan by utilizing a professional. Understand what you have in place and what you don’t. Please don’t assume that the IT Company handling your software and networks is also handling your data security. Chances are they’re not. Hire a Cyber Security specialist.

Second, investigate the cost of a Cyber Liability Insurance policy. A data violation/breach is not fully (or in most cases at all) covered by General Liability insurance, Malpractice insurance or specialized coverage such as Crime. The Cyber Liability policy is the reactive portion of your data security plan and responds accordingly to a violation/breach.

It might help to compare your approach to data risk management human medicine  –  when someone needs medical treatment do they generally do it alone or visit a medical professional? Did they wait too long and their ailment has turned into a serious condition? Or was it caught early and can be treated promptly?

Whatever the case may be the cost of not implementing a plan is significantly higher than doing nothing at all.

Brian Clement is a licensed insurance agent and a risk management consultant with the Ralph C. Wilson Agency in Southfield, MI. For over ten years Mr. Clement has guided companies operating in various industries throughout the United States through risk management and  purchasing decisions regarding Property, Casualty, Professional Liability, Errors & Omissions, Workers’ Compensation and other specialty insurance programs . Furthermore, Mr. Clement advises employers on various employee benefit offerings and funding arrangements, including navigating the state and federal compliance waters of HIPAA, HI-TECH, COBRA and FMLA.  Follow Mr. Clement on Twitter and on LinkedIn.