Following a cyberattack on CareFirst Blue Cross in the wake of others against Premera Blue Cross and Anthem, insurance companies would be wise to consider how long they retain customer data.
Experts say the impact, affecting 1.1 million current and former CareFirst customers, could have been lessened if data wasn’t stored for longer than necessary.
Companies will often hold onto data protected under the Health Insurance Portability and Accountability Act (HIPAA) such as names, birthdates, email addresses and subscriber identification numbers. HIPAA requires keeping medical records “for six years from the date of its creation or the date when it last was in effect, whichever is later.”
Companies will store that information even longer for cases of litigation, but many experts say the costs associated with a mass breach of information are higher than that of being without the information.
It’s suggested companies keep any record older than five years old in a system that’s not connected to the Internet so it’s inaccessible from outside the company.
CareFirst joins Premera and Anthem as Blue Cross and Blue Shield brands to be targeted by data thieves in the past year.