Health law expert gives advice to those whose personal data may have been compromised in the Anthem cyber leak
Teresa Taylor, an Attorney with the Law Firm Akrivis in Washington D.C. talked with us about the recent breach of customer’s personal data at Anthem Insurance Company due to a cyber attack on Anthem’s computers. Ms. Taylor states that the problem is a big one.
“If the news is correct and the estimates are correct, then we are looking at a potential of 80 million people who have had their personal information accessed,” said Taylor. “Anthem has come out and said that at least 10 million people have been affected so far. So with 80 million people as a possible victim group, we are looking at the largest healthcare breech so far.”
According to Ms Taylor, Anthem has incorrectly stated that the information breeched is not a breach of the HIPA (Health Insurance Portability Act) privacy laws since no actual health records were breached. Ms. Taylor advises that under new rules covering the protection of healthcare information called “HIPA High Tech”, personal data such as a person’s address, name or email address is protected information under HIPA.
Ms. Taylor warns that it is not only large health care insurers such as Anthem that could face severe fines and even criminal penalties if their customers’ personal information is leaked. Even small businesses such as doctors’ offices or nursing homes could face stiff penalties if they allow their patient’s medical or personal information be breached. This is particularly true if the business had not taken proper measures to safeguard the information or were careless with the information.
The violation can be even worse if a company fails to timely notify both the Federal Health and Human Services and potential victims that their information was compromised. Not only would the health insurance or health providing company be at risk of these penalties, but also any “business associates” of that provider. This would include subcontractors such as accountants, law firms and even tech companies that are subcontracted by the health care insurance or health care providing company. The potential legal problems even extend to individual employees of these companies.
Ms. Taylor advises any companies subject to these possible HIPA violation penalties should put together a solid and easy to understand plan to comply with HIPA privacy rules. Companies should also understand the Federal timely notification rules should a breach occur.
The Federal Government has delegated both civil and criminal prosecutions to local state prosecutors, who can be very aggressive in their prosecutions since successful prosecutions of these cases can bring a large amount of money to their state.
In Anthem’s case, a potential of 80 million victims could mean 80 million individual violations of the privacy laws.
“And the fines here are steep,” says Taylor, “they range from a minimum of $100.00 per violation for an employee of a company up to $25,000 maximum per violation. For a company it is a minimum of $50,000 per violation up to a million and a half dollars.”
“Anthem is a very large company and is a perfect example of a compliance violation based on what the news articles are saying so far.”
Ms. Taylor offers some advice for those who may find themselves as a victim or potential victim of the Anthem date breech.
“Definitely start to watch their information,” said Taylor, “and even though there wasn’t credit card information stolen from Anthem here, the reason the medical records and protected information is such a target here is because it provides everything: the Social Security number; the habits; the addresses; past employers; a whole lot of information on someone’s health record. You can do a lot just by getting someone’s address or just their email address and sometimes just their name, it’s pretty amazing.”
Ms. Taylor offers additional advice.
“I would suggest you watch your record, you can request your health record” says Taylor. “And see if there is anything strange there, a diagnosis you haven’t seen before; an address that’s not yours. You can use a credit monitoring service as well, like Expedia. I believe in Anthem’s situation, they are going to offer it free. You want to follow Anthem’s website there and find out how you could start that.”
Ms Taylor explains some other tips useful to those affected by the anthem date breech.
“You need to extend the credit monitoring beyond the 90 days,” says Taylor. “A lot of people who have an incident might get the credit monitoring for 90 days, and the criminals using this information are waiting for people to get lazy. So you really need to be mindful, get your health record, get your credit report, watch it, be careful with your passwords.”
“When people call and ask you for your information or show up at your front door, be very mindful. Google the correct name or look on the back of your credit card for the number for your credit card company and call that before you give out any information, and make sure it’s the correct number, things like that.”
Ms. Taylor believes that we are going to see more and more of these types of things but says we should not let this paralyze us. She suggests that health related businesses can learn more about safeguarding customer’s health records by visiting her firm’s website www.akrivislaw.com or going to the Health and Human Services’ Civil Rights web page.