As long as U.S. laws fail to impose significant costs for data security breaches, we can expect companies to treat the costs of these breaches as the cost of doing business--just as they do with litigation costs for faulty automobile parts, manufacturing pollution, and the like.
Any such law would be used to squash small businesses while larger ones are largely given a pass (even a fine large enough to sting will only sting). See the difference between dealing with known drug money as an individual vs. as a bank.
Then tie it to the company size, or make it big but limit it according to some factor (As far as I remember, here in Germany it limited by a percentage of revenue). And/or add personal liability for people having oversight over this, of course also within limits.
In Massachusetts, 201 CMR 17.00 sets a $5000 per violation fine for losing personal information. The law itself is poorly written, so it's unclear if a violation is per individual, or per incident. I would love to see it enforced per individual, and for our AG to go after and destroy Anthem, and all the other companies that keep getting away with this.
If enough companies are destroyed, eventually they will start taking security seriously.
It is. HIPAA should destroy these jerks. The problem is that they are stating that no health data was actually lost... just the part of the health data that identifies you and can be used to ruin your credit.
Since that part of the data should be the most locked down, it seems like a complete lie to me. I think the health info was compromised completely.
I would bet that they store SSN and MRN in the same table. Since the personally identifiable information (patient demographics) is the foreign key for the patient data, it seems likely that everything is compromised.
One way to have not allowed this is to force the database to restrict queries to use two pieces of information in the where clause. This means that they would have to search for name = "John Smith" and MRN = "xyz". This would prevent mass queries and database dumps.
Having the ID - SSN or MRN - isn't the same as having the patient's full medical records. It'd be entirely possible for a system to have the IDs and not the data - a billing system, perhaps. It all depends on the nature of the compromise.
The argument I'm trying to make is that if someone compromises SSNs, which are used to authorize patients, it's very likely that they have also compromised MRN since MRN is what most healthcare applications use internally as the identifier for patient data.
In the case that they stored SSN and MRN together, which I believe is highly likely, the attackers also gained access to the MRN.
If the most highly protected data demographic data (the name and identifying information about the individual patient) is unencrypted and easily compromised, I believe that patient data was very likely compromised as well.
It is possible, however, that the attackers were only after information that could be used to commit identity theft so they may have ignored the health information, however, this does not mean that the health information was properly protected.
I'm not sure that it's a settled matter that HIPAA doesn't apply in this case. PHI includes demographic information which would seem to apply here just based on what we already know has been leaked.
for i worked in several similar companies, indeed, its extremely rare that such data is well protected.
it works under the assumption that if its not been broken into until now then its safe enough.
obviously that's broken logic since..
- you're not compromised by default/when the business starts
- when you're compromised, you probably don't even know it. you might find out in a few years if lucky.
I doubt Google-esque companies would store a users table with foreign keys to social security numbers, street addresses and phone numbers unencrypted (FDE does not count as it's for hardware loss, not data loss) or at least without some kind of base-level ACL, but I would love to be surprised.
Much of the data I presume that Google deals with is not sensitive enough to warrant the kinds of encryption that a health provider company should use. My search data and even my Google+/YouTube/Gmail accounts are enough to tie them to my person, but not my identity. I, or someone masquerading as me, cannot open a line of credit with my Google account at a bank.
