Melissa Marrero
Information Privacy Law
Professor Ira Rubinstein
February 22, 2017
In February 2015 one of the largest data breaches in the American history took place in the database of Anthem, a health insurance company considered a ‘covered entity’ under Health Insurance Portability and Accountability Act (HIPAA). In this breach hackers gained access to circa 80 million records of current and former customers and employees at Anthem. The information accessed included names, Social Security numbers, birthdays, addresses and employment information.
More than a year after, in November 2016, hackers compromised the personal health information (PHI) of 34,000 people through a mobile health app developed by Quest Diagnostics. Quest is a medical laboratory company that developed an application through which its patients could access their lab results and other personal information.
Health data breaches are very common nowadays and the odds of it happening more often increase as we switch paper records to electronic databases. The apparent issue in this set of data breaches is how covered entities are storing the patient’s data. In ““The Health Data Conundrum”, Kathryn Haund and Eric Topol criticize how there are no major regulations or guideline to the covered entities on the storage of the PHI. The issue Haund and Topol spotted is that these entities store the information in centralized database and that they don’t usually encrypt the information. This makes breaches easier for hackers as they only have to access the database once to gain access to all the information in it.
Moreover, it is very hard to prosecute hackers as most of them commit the breaches from outside the United States of America. Consequently when companies like Anthem and Quest suffer one of these attacks, they rather just offer the victims identity repair services than go after the hackers.
As a solution of the storage problem Haund and Topol suggest the disaggregation of the medical data. Instead of storing it in centralized databases they propose individual encrypted databases divided in families, for example. This would make it harder for hackers to gain access too all the information possessed by these companies, and it would also make it easier for patients to manage their own information and share it with whomever they like to.
Sources:
https://www.nytimes.com/2017/01/02/opinion/the-health-data-conundrum.html
https://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html