82.1 F
San Fernando
Thursday, Mar 28, 2024

Diagnosing the Anthem Data Breach

The data breach at Anthem Inc. that exposed the personal information of as many as 80 million former and current Anthem enrollees should be a wake-up call for those in the medical industry and health advocacy organizations who are having a love affair with big data. The ever-expanding business of patient health data collection – from health conditions to hospital recovery times – inevitably creates more opportunities for that information to be hacked. Industry, advocates and consumers need to take a hard look at each new data collection scheme to decide if the benefits outweigh the substantial costs of placing more data at risk. The hack of the Indianapolis-based insurer revealed names, Social Security numbers, income, birthdays and medical identification numbers – everything an identity thief needs to impersonate a person to obtain new credit, or costly medical treatment. Anthem was quick to respond to the hack with promises of credit monitoring and other consumer assistance. It no doubt hoped to calm Wall Street and dampen public outrage during the final weeks of Obamacare open enrollment. Yet flying under the radar was the fact that, last year, Anthem willingly provided to a third-party database the same sensitive data that the hackers worked so hard to steal. Last summer, the company’s Anthem Blue Cross subsidiary in Thousand Oaks and Blue Shield of California announced a partnership to create a master database of their customers’ medical information in California. They provided $80 million in seed money, and all of the records they hold on their customers, to get the California Integrated Data Exchange, or Cal Index, off the ground. Yet, rather than making the case to consumers of the benefits of a centralized health information exchange, the insurance companies presumptively supplied Cal Index with all their customer records and informed consumers after the fact. Fair information practices would at a minimum give consumers the ability to prevent their personal medical information from being given to companies they have never heard of. And, in its email to customers, Anthem seemed to suggest it would when it wrote: “This program is 100 percent optional.” What Anthem didn’t explain is that although consumers who opt out will be able to prevent medical providers from accessing their information in the database, the information will never be removed. Cal Index will keep the information it has and continue collecting it from insurance companies and health providers despite any request by a consumer to opt out. Further, Cal Index will not allow consumers to delete their data if they change their minds about participating, and does not plan to give consumers access to their entire record until some unidentified future date. This places patient health at risk by increasing the likelihood that a medical provider relies on a file that is incorrect. We have little faith in programs that health insurance companies claim are for consumers’ benefit, yet make participation mandatory. By placing millions of Californians’ private medical information in a database that could become one-stop-shopping for hackers, Anthem and Blue Shield have placed all of their customers’ data at risk without their consent. It is a classic case of more data being good data in the eyes of the medical industry – with no care for the additional risks that the information will be compromised. Every additional employee with access to our medical records, new Internet service provider that transmits the information, and company laptop that goes home with a telecommuter creates one more point of vulnerability for data thieves to exploit. Health advocates can have the same blind spot – enamored of the possibilities presented by big data to help diagnose and treat illness, they are unable to see when patient rights get squashed in the process. The Anthem hack makes clear why Cal Index, Anthem and Blue Shield should ditch the “opt-out” system and allow consumers to prevent their records from being collected in the first place. If the insurance companies refuse to take patient privacy seriously, California lawmakers must act. Legislation to restore Californians’ control over their medical records would require health information exchanges give consumers the right to choose whether to participate by opting in; make opting out real by preventing collection and retention, as well as sharing of data; and give consumers the right to view, correct and delete any data held by the exchange. Finally, lawmakers should require all sensitive data, including medical information, held by companies in California to be encrypted. Shockingly, the data stolen at Anthem was not. Carmen Balber is executive director at Consumer Watchdog, a Santa Monica consumer and taxpayer advocacy organization.

Featured Articles

Related Articles