CareFirst data breach begs question: How long should data be kept?

A massive 2014 data breach of 1.1 million current and former CareFirst BlueCross BlueShield beneficiaries announced this week has security experts pondering how long companies should hold data.

Mac McMillan, co-founder and CEO of the information security and private consulting firm CynergisTek, told Modern Healthcare that modern cyberattacks are made even worse by the fact that companies keep data for a long time after it is needed.

“These breaches we're seeing wouldn't be near as large as they are if they weren't holding on to so much data,” he said. “One of the overarching questions that needs to be asked is, why are companies able to hold on to so much information on people they're no longer serving?" 

The Health Insurance Portability and Accountability Act (HIPAA) signed into law in 1996 stated that providers should keep documentation for six years after the date it was last in effect. However, the HIPAA Privacy Rule became official in 2003, and official HHS documentation states that state governments are to make these decisions and “the HIPAA Privacy Rule does not include medical record retention requirements.”

Mark Shelhart, senior manager for incident response and forensics at the professional services firm Sikich, told Modern Healthcare that he thinks anything more than five years old, if it must be saved, should not be even connected to the internet.

 “Our answer, almost always, is get rid of it as fast as you possibly can,” he said.

CareFirst gets frisked

The most recent health healthcare organization to become the victim of a cyberattack was CareFirst BlueCross BlueShield, which announced this week it was the victim of a an attack in 2014. Attackers gained access to private information—including names, contact information, dates of birth, and website user names—of 1.1 million current and former CareFirst members. The company said attackers did not gain access to website passwords and social security numbers as a result of the attack.

“Cyberattacks on businesses have, regrettably, become all too common,” Chet Burrell, CareFirst president and CEO, said in a statement. “We understand that news of a cyberattack on CareFirst BlueCross BlueShield (CareFirst) is a cause of concern for our members and others with whom we do business. Maintaining the privacy and security of our members’ personal information is one of our highest priorities.”

This is the third substantial cyberattack to be discovered this year related to BlueCross BlueShield insurance information. An attack earlier this year on Anthem affected the data of up to 80 million members. The attack on Premera Blue Cross affected the data of up to 11 million members.

CareFirst learned about this attack after hiring a security firm to scan and analyze its data to see if any cyberattacks had taken place. The company provides health insurance coverage and other services to approximately 3.4 million people in Maryland, Virginia and Washington, D.C.

Burrell said in his statement that CareFirst would be offering members who were potentially affected by the attack two years of free credit monitoring and identity theft protection.

Further reading

The bad news for insurers – and everyone, really – is that as cyberattacks are not getting any easier to guard against. A recent study published in the Journal of the American Medical Association found that as data breaches are on the rise, it’s becoming a trend that is increasingly difficult to stop or even slow down.

This infographic features some straightforward ways providers can keep patient data safe.