State Authorities Probe Anthem HackAGs, Insurance Regulators Investigating; Senate Launches Study
As state insurance commissioners and attorneys general launch investigations into the cyber-attack against Anthem Inc., the nation's second largest health insurer, a U.S. Senate committee is examining the healthcare industry's preparedness for mitigating cyberthreats.
The National Association of Insurance Commissioners announced Feb. 6 it plans to launch a multistate examination of Anthem Inc. following the breach. "Since the news broke, regulators have been working together and have been in discussion with Anthem executives," says Monica Lindeen, NAIC president and Montana's Commissioner of Securities and Insurance. "We are in agreement that an immediate and comprehensive review of the company's security must be a priority to ensure protection of consumers who are covered by Anthem."
The California Department of Insurance expects to be a leader in that national effort, says Dave Jones, California's insurance commissioner. Anthem has a major market presence in California. But all 56 states and territories will participate in the examination, Jones says.
Meanwhile, attorneys general in at least six states - Arkansas, California, Connecticut, Illinois, Massachusetts and North Carolina - have initiated their own investigations into the Anthem breach, according to media reports.
In Connecticut, for instance, Attorney General George Jepsen sent a letter dated Feb. 5 to Anthem CEO Joseph Swedish, requesting detailed information by March 4 on how the breach occurred, steps being taken to protect affected individuals and new procedures being adopted to prevent other breaches.
"While some of this information may presently be unknown or under investigation, it is imperative to the protection of Connecticut residents that I better understand the circumstances of this breach as they are known today," Jepsen writes.
U.S. Senate Inquiry
In Washington, the leaders of the Senate Health, Education, Labor and Pension Committee disclosed Feb. 6 that the panel in January implemented a bipartisan initiative in which committee members and staffers are meeting with representatives from federal agencies that have healthcare oversight as well as independent cybersecurity experts and healthcare industry leaders to explore health IT security and healthcare industry preparedness for cyber-attacks.
"Patients, hospitals, insurers and all Americans who value the safety and privacy of their sensitive personal information have a right to be alarmed by reports that their electronic records might be vulnerable to a cyber-attack," says Committee Chairman Lamar Alexander, R-Tenn. The panel is taking "a serious look at how these types of attacks may be prevented and examine whether Congress can help," he adds.
The committee's ranking member, Patty Murray, D-Wash., says Congress should do everything it can to make sure that personal and private information is protected from the growing threat of cyber-attacks. "This is especially true when it comes to healthcare," she says.
On the other side of the Capitol, Energy and Commerce Committee Chairman Fred Upton says the panel - which has oversight over healthcare - will hold hearings examining the various threats posed by cybercrime. "We need to tackle head-on these cyberthreats, whether from petty criminals or sophisticated foreign agents," says Upton, R-Mich. "Technology has vastly improved our lives, but it has also presented new challenges that we must work to overcome."
A Long Overdue Step
A Congressional inquiry into the steps the healthcare industry is taking to safeguard IT from cyber-attacks is long overdue, says David Holtzman, a former senior adviser at the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
Unlike other industries, such as financial services, telecommunications and electricity generation, healthcare has not developed a voluntary cybersecurity framework to secure its IT, Holtzman notes. The attention the Senate panel gives to health data security could lead the industry to implement a framework, says Holtzman, vice president of privacy and security compliance services at the consulting firm CynergisTek.
"Congress could take carrot-and-stick approach in which it forcefully encourages the industry to adopt voluntary standards for security of health information or, failing that, use its stick to impose them through laws mandating minimum security safeguards," he says.
Anthem Meets with Lawmakers
Meanwhile, Anthem representatives briefed members of Congress last week about the breach that may have exposed personal information on as many as 80 million current and former customers and employees. One of the lawmakers briefed - House Homeland Security Committee Chairman Michael McCaul - praised Anthem for working closely with federal authorities to identify the attacker and to mitigate and recover compromised systems. "Because of Anthem's swift response and transparency, I am hopeful that other companies can protect their consumers from similar attacks," said McCaul, R-Texas.
McCaul took the opportunity to promote legislation he has sponsored to get businesses to share cyberthreat information with the government. "Congress has yet to do its part to break down the legal barriers for the sharing of cyberthreat information between the public and private sectors," he said.
Also last week, White House Cybersecurity Coordinator Michael Daniel used health insurer Anthem's massive data breach to promote the Obama administration's cybersecurity initiatives.
(News Editor Howard Anderson and Executive Editor Marianne Kolbasuk McGee contributed to this story.)