The sophisticated cyberattack against CareFirst Blue Cross and the record-breaking hacks at Premera Blue Cross and Anthem would have a narrower impact if insurance companies didn't retain customer data for so long, experts say.
CareFirst, which provides health insurance and administrative services for about 3.4 million people in Maryland, the District of Columbia and Northern Virginia, said Wednesday that it was the victim of a cyberattack affecting 1.1 million current and former CareFirst members who have used the company's online tools.
Medical and financial information was not stored in the single database attacked, but it did include usernames, names, birthdates, e-mail addresses and subscriber identification numbers, most of which is protected health information under the Health Insurance Portability and Accountability Act.
Although it's unknown how many of the individuals affected are no longer insured by CareFirst, the idea that companies keep data for longer than necessary has cybersecurity experts scratching their heads.
“These breaches we're seeing wouldn't be near as large as they are if they weren't holding on to so much data,” said Mac McMillan, an IT healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy. “One of the overarching questions that needs to be asked is why are companies able to hold on to so much information on people they're no longer serving?"
It's up to states to determine how long medical records must be retained, but HIPAA requires that covered entities retain documentation required by the law “for six years from the date of its creation or the date when it last was in effect, whichever is later.”
Companies hold on to customer data out of concern that it might have future value, for example, as a point of reference for litigation, or in the case of DNA, as an explanation of pre-existing conditions, said Mark Shelhart, senior manager for incident response and forensics at Sikich, a professional services firm. But more often than not, the costs associated with a breach are much higher than the cost of being without the information.
“Our answer, almost always, is get rid of it as fast as you possibly can,” Shelhart said. He suggested that information older than five years is probably best kept on a system that is not connected to the Internet and therefore inaccessible outside of a company's premises.
Katherine Keefe, global head of British insurer Beazley's breach response services, said the company has assisted clients in breaches where the impact could have been significantly smaller if the organization or a vendor had not kept older information.
“Sometimes they're not aware,” Keefe said. “They need to look at document retention and destruction policies and that of their vendors.”
Unlike the Premera and Anthem attacks, this latest attack does not affect Blue Cross and Blue Shield customers other than CareFirst's, a company spokesman confirmed Wednesday evening. Hackers in the other two attacks were potentially able to access information from the BlueCard Network, which allows Blues insurers to cover customers who get treatment outside of their own health plan's service area.
CareFirst is the third Blues insurer to be targeted this past year, in addition to Anthem and Premera. That doesn't necessarily suggest that data thieves are targeting the Blues brand, but hackers likely see value in the insurers' information-rich networks, said Keefe, who once served as deputy general counsel for Philadelphia-based Independence Blue Cross.
“Who knows whether there's any sort of nexus between and amongst the attacks,” Keefe said. “But I don't think it's too hard to figure out that Blue Cross plans are a treasure trove of information and they often keep subscriber information for years.”
The FBI confirmed in a statement that it is investigating the cyberattack. An agency spokeswoman declined to comment on whether it believes Blues insurers are specifically being targeted by hackers.
"Similar to other recent intrusions, this incident underscores the importance of rapidly notifying law enforcement once a breach has been detected, as doing so allows the FBI to quickly deploy our cyberexperts to preserve evidence and work with incident responders to help recover their networks," a statement said.