Anthem, a health insurer associated with Blue Cross Blue Shield has agreed to the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in history. Anthem experienced a breach of almost 79 million individuals that was announced back in 2015.
According to Roger Severino, Director of the Office of Civil Rights (OCR) within the United States Department of Health and Human Services, “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history.”
Anthem filed a breach report with OCR on March 13, 2015 that outlined that they had found that cyber-criminals had breached their IT systems and had gained access to electronic protected health information (ePHI) which the company stored regarding its affiliated health plans as well as any other covered entity health plans.
The advanced persistent threat attack that hit Anthem used spear-phishing emails sent to one of their subsidiaries. Unfortunately, at least one employee at the subsidiary engaged with the malicious emails which allowed the intruders access to the system.
As a result, between December 2, 2014 and January 27, 2015, cyber-criminals stole ePHI belonging to nearly 79 million patients. According to the OCR investigation, the exposed data included names, medical identification numbers, social security numbers, dates of birth, addresses, employment information as well as email addresses.
Apparently, Anthem had failed to put in place the measures necessary to detect when intrusions occurred as well as when credentials were being harvested in order to steal private information. Director Severino added “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.
Along with the exposure of ePHI, the investigation showed that Anthem did not conduct an enterprise-wide risk analysis, didn’t have sufficient procedures to regularly review IT activity, failed to identify and respond to suspected or known security incidents and failed to put in place adequate minimum access controls to prevent hackers from accessing ePHI.
The $16 million settlement with OCR pales in comparison to the cost of the data breach lawsuit that was filed earlier this year. The civil suit cost Anthem $115 million in settlement with some of the breach victims.
Ultimately, it would have cost Anthem a lot less than $131 million to improve password policies, add additional levels of authentication and fully implement a comprehensive cybersecurity protection plan. It’s entirely up to each organization to determine if the cost is better to be paid in up-front where it can be controlled (and protect their brand) or whether it makes more sense to roll the dice and pay an astronomical bill later if (when) a cyber-attack exposes protected data on their network.