HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Encryption Almost Prevents Humana Data Breach in Wisconsin

Data encryption technology used by Humana may not have prevented a data breach, but it has certainly limited the extent of data exposed, the damage caused, and has considerably reduced the cost of remediation.

On Friday last week, Humana reported the theft of an encrypted laptop from an employee’s vehicle. Security keys for the laptop were not stolen, and the data stored on the device remain secure; however, along with the laptop, the thief stole documentation containing the names, dates of birth, and “clinic names” of 2,800 Medicare Advantage Plan subscribers.

In addition to the above data, 250 subscribers also had their Humana member identification numbers exposed, according to a recent report in the Milwaukee Journal Sentinel. A statement issued by Humana confirms that financial information and Social Security numbers were not compromised in the security incident.

The Breach Notification Rule of the Health Insurance Portability & Accountability Act (HIPAA) requires notification letters to be sent to all individuals who have had their Protected Health Information (PHI) exposed in a security breach. Humana will be notifying all affected individuals in the next few days that some of their data has been exposed, however Humana does not believe any information has been used inappropriately.

Please see the HIPAA Journal Privacy Policy

In an effort to prevent fraudulent use of their information, Humana will be issuing new identification numbers and cards to the 250 individuals whose ID numbers were compromised.

The company will also be conducting a refresher training course for all Humana employees who are required to transport documents and equipment containing the Protected Health Information of subscribers. The training session will cover physical security procedures that must be followed to keep PHI secure.

Data Encryption Prevents a Major Humana Data Breach


The data breach could have been much worse. The Louisville, KY – based health insurer holds the PHI of approximately 2.7 million subscribers to Medicare Advantage Plans, as well as 473,000 individuals who have been enrolled in employer-purchased Medicare Advantage Plans.

Had data encryption not been employed, many of those individuals would have had their data exposed. Humana would also potentially have been required to provide credit monitoring, credit protection and identity theft resolution services to the breach victims. The use of data encryption has therefore prevented Humana from having to cover considerable data breach costs.

Heavy HIPAA breach fines can also be issued by the OCR, state attorneys general and other regulatory bodies. Class-action lawsuits are also likely to be filed against organizations that fail to protect the PHI of patients and subscribers, and the costs from lost business and reputation damage following a security incident can be considerable.

Security incidents such as that suffered by Humana are difficult to prevent in many cases, therefore protections should be put in place to safeguard any equipment used to store PHI, especially if that equipment must be transported. The cost of using data encryption may be seen to be high, but it is low when compared to the cost of remediating risk after a large scale data breach. HIPAA Rules may not demand data encryption, but this incident shows how important an investment data encryption can be.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.