You probably remember the headlines earlier this year when Anthem, the second biggest U.S. health insurance company, suffered a massive data breach. Hackers stole the personal information of 80 million Americans, many of whom were current and former members of Anthem health benefits plans. And just recently, another U.S. health insurer, CareFirst, discovered it had been hacked last year. As a result, 1.1 million of its customers had their data exposed.
While these cases underscore the importance of protecting plan members’ personal data, when employers talk about group health benefits, the conversation usually focuses on costs and benefits design. Experts say this has to change: a cyber breach at an insurance company can expose the insurer to class action lawsuits from plan members and damage the employer’s reputation.
Read: U.S. health insurer hacked
Companies also need to know hackers are now more sophisticated. “They’re not the 15-year-old who knows how to play with software, sitting in his parents’ basement,” says Khaled Mansour, CEO of Spyders Inc., a Toronto cyber security firm. “They’re employed and well paid by many organizations and governments.”
When hackers steal personal information (such as social insurance numbers and credit card data) from an insurance company or other organization, they usually have two reasons. One, says Mansour, is to blackmail the company. The other is to sell the stolen data on the black market or use it for their own benefit (see right, “What a hacker can do with your stolen data”).
Read: Insurers need better cyber security
While the risk of a data breach can’t be fully eliminated, companies can mitigate it by asking their insurance providers some key questions.
1. Do you have a robust security awareness program for your staff?
Educating insurance staff about data protection is crucial because people are typically the weakest link when it comes to cyber security, says Mansour, explaining well-meaning employees can inadvertently make the company vulnerable. “It’s easy to call an insurance company, pretend you’re from IT and you want to reset [someone’s] user ID and password, and get information from that person,” he explains. “You steal the credentials of that employee and then use them to get into the organization and embed malware to copy information and send it to the malicious people.”
2. Where will the personal data reside?
As more companies move to cloud computing, they may decide to store some personal data in the cloud. In this case, employers need to ensure the cloud service provider offers an extremely secure environment, Mansour advises.
3. Do you have a mechanism for detecting unusual activities and data movement?
Ask how the insurer monitors staff ’s emailing and downloading activities to prevent information leaks, Mansour says. Various types of software can detect if data is moved to the cloud.
4. Who can access employees’ personal information?
Employers need to know what rules insurers have about unauthorized data access to ensure only those with a legitimate need can view clients’ personal data, explains Jason Hanson, a partner at Osler, Hoskin & Harcourt LLP. If the insurer’s practices aren’t robust, this can lead to class action lawsuits, he warns. The Ontario Court of Appeal recently allowed a plaintiff to start class action proceedings against the Peterborough Regional Health Centre for damages due to unauthorized data access. Health information custodians can face a similar threat for future incidents involving illegitimate access to personal health data, Hanson notes.
Read: Hackers attack Japan’s pension system
If these questions aren’t answered to your satisfaction, change your insurer, says Mansour. “Many employers wait until something happens and then they take their business away.”
Yaldaz Sadakova is associate editor of Benefits Canada.
Get a PDF of this article.