The Security of Personal Health Data & Health Insurance

Balancing Innovation and Privacy—Exploring Data Security & Ethical Concerns in Health Insurance

There’s no denying that technological innovations have greatly advanced the world of healthcare. From improved medical equipment to more efficient systems, technology plays a large role in improving how we manage health care. Similarly, technological innovations play an important role in the management of health insurance. As a medical insurance stop-loss and risk management services provider, RMTS knows that well.

With everything from email lists to claims administration service conducted digitally, health insurance relies on technology for most everything, with intermediary software often handling the bulk of that— including the storage and use of personal health data. Naturally, this goes hand in hand with security concerns, which are more than warranted. Recent data breaches in Change Healthcare, along with the software update by CrowdStrike that left millions compromised, raise the question of what intermediaries are doing with our personal health data.

On July 19, 2024, the cybersecurity firm CrowdStrike released a content configuration update that resulted in a Windows system crash.1 For the company alone, this posed a significant problem—but the worldwide effects spelled disaster. Over eight million computers crashed around the world as a result, and the global IT outage left businesses and services reeling with hospital care disruptions, major airport delays as flights were grounded, and other disastrous upsets.2

Software updates are commonplace. From simple smartphone updates to large-scale ones like CrowdStrike’s, we’re constantly keeping up with new improvements in technology. The CrowdStrike crash, however, highlights significant vulnerabilities in cybersecurity and these constant innovations. While the update was caused by a human error, it illuminated the potential consequences of attacking the software that supports systems, rather than the systems themselves. And CrowdStrike isn’t the only company to suffer from a security breach this year.

Just back in February, Change Healthcare fell victim to a ransomware attack, with around 4TB of data stolen. The company, which provides services to healthcare providers, health insurance plans, and other companies, paid a $22 million ransom to ensure the deletion of the data.3 Unfortunately, the data was instead sold to yet another ransomware group, which demanded even more. Change Healthcare estimated that around 500 individuals were affected, compromising their health insurance information, billing and claims information, and other personal information including Social Security numbers.3

There are many valid concerns when it comes to what intermediaries are doing with personal health data, and those concerns become painfully real when you bring the recent data breaches into the mix. Let’s take a look at some of the main ethical considerations surrounding the use of personal health data in the insurance industry.

Data Security

Perhaps the most obvious concern raised by potential data breaches is the security of the data in the first place. For insurers, it’s vital that they take the utmost security measures to protect against any potential data breaches and protect people’s personal health information. If that security is breached, the people entrusting their data to insurers will quickly lose that trust, and perhaps lose trust in the healthcare system on the whole. When individuals become hesitant to share their health information, insurance processes take a hit, along with the effective management of healthcare.

Concerns for Privacy

People have the right to their own health information—that doesn’t mean everyone else has it. Personal health data is a top concern when it comes to intermediaries handling health insurance information. There are protections in place, but those safeguards hardly matter if those intermediaries are breached. The exposure of sensitive health information to unauthorized eyes directly compromises individuals’ privacy, which leads to its own host of problems. At the very least, it runs up against the HIPAA Security Rule, which protects the health data of individuals and ensures the confidentiality, integrity, and security of that data.4 If insurers are unable to maintain that protection, they run the risk of facing reputational damage, legal costs, and potential civil and criminal penalties.

Fears of Discrimination

Another concern about a breach of personal health data is that the information could be used to discriminate against individuals. This is a primary concern when it comes to insurers denying coverage or charging higher premiums, due to potential health risks suggested by the leaked data. Denial of coverage based on pre-existing conditions or other health issues is regarded as unfair treatment, and is something insurers must work to avoid.

Regardless of the consequences, the recent data breaches lead to one obvious conclusion — the need for transparency in the insurance space is greater than ever. Remaining clear about how health data is being used is vital for insurance companies. If that data is impacting decision-making processes in any way, such as claims or underwriting, insurers need to be transparent—at the least, to maintain clients’ trust. Transparency also encourages better compliance, accountability, and helps individuals make informed decisions about their healthcare. It also helps protect against security threats—and in addressing the aftermath if a breach happens.

As a nationwide managing general underwriter, the team at RMTS more than understands that need for transparency—and we work hard to ensure it. In our work in medical risk management solutions and stop-loss health insurance, we strive to build relationships our clients can trust, giving them full transparency and control over their health plan data.

Sources

  1. https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
  2. https://www.bbc.com/news/articles/cy08ljxndr4o
  3. https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/
  4. https://www.hhs.gov/hipaa/for-professionals/security/index.html