Protecting sensitive client and employee information is a critical mission for today's insurance industry, as data breaches continue to target firms nationally and internationally.
As a result of multiple consumer complaints, the Delaware Department of Insurance was recently made aware of a security breach, involving Summit Reinsurance Services and BCS Financial Corporation, both subcontractors of Highmark Blue Cross Blue Shield of Delaware. The breach affects thousands of Delawareans with employer-paid plans. As reported by Highmark Blue Cross Blue Shield of Delaware, the breach impacts a total of 16 current and former Highmark self-insured customers and approximately 19,000 of their members.
According to recent reports, one of the biggest cybercrimes in the history of healthcare was the result of a foreign government that hacked its way into nearly 100 computer systems operated by major health insurer Anthem. A newly issued report from the California Department of Insurance and six other state insurance commissions following a year-long investigation concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government and cautioned insurers and regulators alone cannot stop foreign government assisted cyberattacks. The Personally Identifiable Information (PII) of approximately 78 million people was compromised in the Anthem data breach.
In the UK recently, an insurance firm was fined by the UK's data protection watchdog over the theft from its premises of a storage device containing information on nearly 60,000 customers. According to the ICO's monetary penalty notice, the device that was stolen was a portable Network Attached Storage device taken offline and removed from the company's data server room. The device contained information on 59,592 customers, including their names, addresses and bank account information, as well as credit card data on 20,000 of those customers.
What is considered PII?
Sensitive PII is PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some categories of PII are sensitive as stand-alone data elements, for example: Social Security Number (SSN), driver’s license or state identification number, passport number, Alien Registration Number, or financial account number.
According to the United States Department of Labor (DOL), Personally Identifiable Information (PII) is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. According to the DOL, PII can do the following:
- Directly identify an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.)
- Specify individuals in conjunction with other data elements, i.e., indirect identification. These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
- Permit the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
PII is a target for cyber criminals because it is relatively easy to secure.
Protecting PII is a challenge for individuals and enterprises alike. Every business is built on people and processes - clients, customers, partner, vendors, employees. As such, every business is responsible for the actions of its staff and the effectiveness of its processes and best practices when it comes to protecting PII. Almost all organizations hold some PII where the result of disclosure would be a loss of privacy for the individual, at a minimum most likely as staff records.
Do you have any questions about protecting PII?
Leave a Comment below!