PHI - a big buzz word in my industry. It means personal health information. Many carriers are trying to help insureds have access to this on-line. A single source to store information about one's health, immunizations, conditions, allergies, etc. Kaiser Healthplan actually does this inside of their captive staff model HMO environment very well. Other healthplans, such as Anthem and Healthnet, are partnering with other companies to try and capture this data for their insureds. It's not a bad idea. I rather like a single source not only for myself but my other family members. In the event of an emergency, this is very valuable info for a medical provider to have (however, most don't know where and how to look for it so getting in on line is really on the first step - but that's a different discussion).
Now the problem - Wellpoint, parent company of Anthem Blue Cross, just released information to the fact that over 130,000 members had their personal health records hacked into and social security numbers and prescription information may have been compromised. Now, we all know that middle age people in their boxer shorts sit home all day in mom's basement trying to hack into anything that they can for kicks but someone has to stop this. Personal data of any type needs to be safe and out of the hands of those that might use it against us. In order for the carriers to continue to promote this type of information, they are going to have to do a better job of making sure that people that we don't want to see this information, can't!
Subscribe to:
Post Comments (Atom)
1 comment:
To clarify and add info:
WellPoint's security problems were first exposed by PogoWasRight.org on April 7. You can read the details of our investigation at http://www.pogowasright.org/staticpages/index.php?page=20080407084747373
Once we exposed their two previously unreported incidents involving unencrypted personal information, then they gave a statement to a friendly AP reporter. They have not admitted or acknowledged to any of the big news sources that they didn't know about the problem until PogoWasRight.org notified them.
2. Their incidents involved no hacking. Hacking would have meant that there was some security to get around or through. They had no security at all to speak of. They left files exposed to indexing and caching by Google.
When a customer notified them that sensitive data was showing up in Google (they hadn't noticed, even though the files were up there for at least months and possibly years), they said they "fixed" the problem. But they didn't fully fix their security problems. So....
Files containing sensitive info were still available. Anyone who knew the url could go get them. For over a year. And again, WellPoint didn't seem to notice.
On April 1, PogoWasRight.org notified WellPoint that their members' info was still accessible via the web.
So 130,000 people had their data vulnerable on the web for over a year and WellPoint had no clue. None. They had to be told.
And they nearly missed my email notifying them of their security problems because one person deleted my email to him without even reading it! Can you imagine...
This breach is a nightmare on so many levels. How could the largest commercial health insurer have such rotten security on their servers? How could they have FOUR breaches involving unencrypted data -- or four that we know about?
PogoWasRight.org is not done with our investigation and reports on WellPoint, so stay tuned.
Post a Comment