Largest HIPAA Settlement to Date – Anthem Pays Millions After Cyber Attack

In the largest HIPAA settlement to date, Anthem Inc., a division of Blue Cross Blue Shield, will pay the Office of Civil Rights $16 million. This settlement is a response to the breach of almost 79 million people’s protected health information. Cyber attackers gained access to names, social security numbers, birth dates, addresses, and medical IDs through concentrated efforts to hack into the insurance provider’s system1.

Prior to this settlement, the largest fine ever paid to OCR for violations of HIPAA law was $5.5 million. Authorities believe a foreign government is responsible for the hack, due to the large scale of the attack. This settlement is a civil suit that is not associated with any government investigation into the incident2.   

The Method Hacker’s Used to Gain Access to PHI

Cyber hackers used a method referred to as “spear phishing” to gain access to ePHI. Phishing involves posing as a reputable business and sending emails asking for login credentials to a company’s database or website. Anthem employees willingly gave their usernames and passwords to the hackers, thinking the emails they received were legitimate. The attackers then used the employees’ information to log into the company’s system and steal ePHI2.

How Could Anthem Avoided the Breach?

This incident is frightening. No one wants their personal information compromised, and no business owner wants to be responsible for compromising the PHI of their clients or employees. This could have been avoided had Anthem handled cybersecurity differently.

First, the company did not conduct an adequate risk analysis (also referred to as a risk assessment). This measure is imperative for preventing breaches. Without evaluating all potential threats, a company cannot fully protect itself.  Additionally, Anthem did not have a policy of carefully and regularly monitoring system activity; therefore, it failed to respond to suspected security compromises in a timely manner3.

Lastly, Anthem did not establish appropriate levels of access for different parties. HIPAA requires that the amount of information a person can access correlates to their job responsibilities2. HIPAA requires people with access to PHI to use the minimum amount of sensitive data necessary to complete their task. This is called the Minimum Necessary Standard. Anthem failed to adhere, therefore when the hackers gained access, all the information in the database was available.

Notably, the hackers maintained consistent effort over an extended period of time. This is why remaining vigilant is crucial to preventing breaches. If Anthem had taken the correct security measures, it is possible that they could have prevented the attack altogether, or at least stopped the hackers months earlier. Large insurance companies’ databases are informational goldmines for hackers. If Anthem had conducted an appropriate risk assessment and trained employees, they might have avoided the phishing scam.

Consequences of the Breach

As mentioned previously, Anthem will pay OCR $16 million, which is by far the largest HIPAA settlement yet. They will have to comply with a corrective action plan created by HHS. The company also plans to provide credit monitoring and identity theft insurance to customers who may have been compromised by the hack.

Earlier this year, IBM conducted a study that showed on average, a breach costs a business $148 per compromised file4. This cost includes paying for services like credit checking, notifying compromised customers, and loss of business. These expenses continue to increase every year.

The life of your business and the security of your customers rely on your ability to follow HIPAA guidelines. Protect your livelihood and sensitive information of your clients by allowing us to guide you through HIPAA Compliance. We will work with you to create a custom plan to protect your business from a breach.

1 https://www.hhs.gov/about/news

2 https://www.apnews.com

3 https://www.healthcarefinancenews.com/news

4 https://www.ibm.com/security/data-breach

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2024

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document

Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

In today's digital world, protecting sensitive data is paramount. This is especially true for organizations that handle electronic Protected Health Information (ePHI), whether you're a healthcare...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)