Largest HIPAA Settlement to Date – Anthem Pays Millions After Cyber Attack
October 23, 2018
In the largest HIPAA settlement to date, Anthem Inc., a division of Blue Cross Blue Shield, will pay the Office of Civil Rights $16 million. This settlement is a response to the breach of almost 79 million people’s protected health information. Cyber attackers gained access to names, social security numbers, birth dates, addresses, and medical IDs through concentrated efforts to hack into the insurance provider’s system1.
Prior to this settlement, the largest fine ever paid to OCR for violations of HIPAA law was $5.5 million. Authorities believe a foreign government is responsible for the hack, due to the large scale of the attack. This settlement is a civil suit that is not associated with any government investigation into the incident2.
The Method Hacker’s Used to Gain Access to PHI
Cyber hackers used a method referred to as “spear phishing” to gain access to ePHI. Phishing involves posing as a reputable business and sending emails asking for login credentials to a company’s database or website. Anthem employees willingly gave their usernames and passwords to the hackers, thinking the emails they received were legitimate. The attackers then used the employees’ information to log into the company’s system and steal ePHI2.
How Could Anthem Avoided the Breach?
This incident is frightening. No one wants their personal information compromised, and no business owner wants to be responsible for compromising the PHI of their clients or employees. This could have been avoided had Anthem handled cybersecurity differently.
First, the company did not conduct an adequate risk analysis (also referred to as a risk assessment). This measure is imperative for preventing breaches. Without evaluating all potential threats, a company cannot fully protect itself. Additionally, Anthem did not have a policy of carefully and regularly monitoring system activity; therefore, it failed to respond to suspected security compromises in a timely manner3.
Lastly, Anthem did not establish appropriate levels of access for different parties. HIPAA requires that the amount of information a person can access correlates to their job responsibilities2. HIPAA requires people with access to PHI to use the minimum amount of sensitive data necessary to complete their task. This is called the Minimum Necessary Standard. Anthem failed to adhere, therefore when the hackers gained access, all the information in the database was available.
Notably, the hackers maintained consistent effort over an extended period of time. This is why remaining vigilant is crucial to preventing breaches. If Anthem had taken the correct security measures, it is possible that they could have prevented the attack altogether, or at least stopped the hackers months earlier. Large insurance companies’ databases are informational goldmines for hackers. If Anthem had conducted an appropriate risk assessment and trained employees, they might have avoided the phishing scam.
Consequences of the Breach
As mentioned previously, Anthem will pay OCR $16 million, which is by far the largest HIPAA settlement yet. They will have to comply with a corrective action plan created by HHS. The company also plans to provide credit monitoring and identity theft insurance to customers who may have been compromised by the hack.
Earlier this year, IBM conducted a study that showed on average, a breach costs a business $148 per compromised file4. This cost includes paying for services like credit checking, notifying compromised customers, and loss of business. These expenses continue to increase every year.
The life of your business and the security of your customers rely on your ability to follow HIPAA guidelines. Protect your livelihood and sensitive information of your clients by allowing us to guide you through HIPAA Compliance. We will work with you to create a custom plan to protect your business from a breach.
January 6, 2020
HIPAA breaches involving fewer than 500 individuals, which occurred during 2019, must be reported to the US Department of Health and Human Services (HHS) by Saturday, February 29, 2020. Reporting… Read More ›Read More