The newly announced cyberattack against CareFirst Blue Cross and Blue Shield and the massive earlier hacks at Premera Blue Cross and Anthem would have had a narrower impact if the health insurers hadn't retained customer data for so long, experts say.
CareFirst, which covers about 3.4 million people in Maryland, the District of Columbia and Virginia, said last week that it was the victim of a cyberattack that affected 1.1 million current and former members who have used the company's online tools. The insurer's information technology staff believed they had contained a data hack last June.
CareFirst's acknowledgement that it had a breach to contain last year suggests the insurer probably should have contacted an outside cybersecurity firm at that time, said Ken Dort, a cybersecurity expert and partner in Drinker Biddle & Reath's Intellectual Property Practice Group. CareFirst later brought in security consultant Mandiant.
Medical and financial information was not stored in the database that was hit, but it did include names, birthdates, e-mail addresses and subscriber identification numbers, all of which is federally protected health information.
Experts are scratching their heads over why the insurers kept data longer than necessary. “These breaches wouldn't be near as large if they weren't holding on to so much data,” said Mac McMillan, founder of CynergisTek, an Austin, Texas-based security consultancy. “Why are companies able to hold on to so much information on people they're no longer serving?”
It's up to the states to determine how long medical records must be kept, but federal law requires that covered entities retain legally mandated documentation for six years “from the date of its creation or the date when it last was in effect, whichever is later.”
Companies hold customer data thinking it might have future value in litigation or as an explanation of pre-existing medical conditions, said Mark Shelhart, a senior manager at Sikich, a professional services firm. But more often than not, the costs associated with a breach are much higher than the cost of not retaining the information. “Our answer, almost always, is get rid of it as fast as you possibly can,” he said. He suggested keeping information that is more than five years old on a system not connected to the Internet.
Katherine Keefe, global head of British insurer Beazley's breach response services, said her company has assisted clients with breaches in which the impact could have been significantly smaller if the organization or a vendor had not kept older information. “They need to look at document retention and destruction policies and that of their vendors,” she said.