Avoid Pain After a Breach—
Read the Fine Print
By Joe Gillespie, MS, RHIA, CHPS, and Susan Lucci, RHIA, CHPS, CHDS, AHDI-F
THE ANTHEM BLUE Cross breach made the cybersecurity
data breach headlines across the nation in 2015. As the single
largest email phishing attack up until that time, impacting
nearly 80 million patients, this breach essentially changed
the privacy and security world as we knew it. No longer was
cybercrime something that happened only in retail stores involving credit cards. The bad guys had figured out where to
find massive amounts of valuable data—and they knew exactly how to get it.
While credit cards are a common target, when a credit card
is compromised the owner of the card typically can contact
the bank, take care of the charges, and get a new card relatively quickly. The individual impact is generally short-lived and
the inconvenience is pretty easily remedied, in the majority of
cases, within a few days. A breach of protected health information (PHI), which most often includes personally identifiable
information (PII), is far more intrusive and can last as long as
the criminals choose to “keep” the information.
In the Anthem case, through a long and exhaustive investigation, it was determined the breach started with a single
click by an employee who thought they were opening a legitimate email. Initial unauthorized access started on December 2, 2014, and continued until the date of discovery on
January 27, 2015.
Once the investigation and reporting process was started, it
took the US Department of Health and Human Services’ (HHS)
Office for Civil Rights (OCR) until 2018 to conclude their investigation and enter into a settlement agreement with Anthem.
OCR alleged the following HIPAA Security Rule violations: 1
Failure to conduct security risk analysis— 45 C.F.R. §
Failure to review records of information system activity— 45 C. F.R. § 164.308(a)( 1)(ii)(D)
Failure to detect security incident which leads to a
breach— 45 C. F.R. § 164.308 (a)( 6)(ii)
Failure to implement technical policies and procedures
pertaining to systems that maintain ePHI, allowing only
authorized individuals to access that ePHI— 45 C.F.R. §
Failure to prevent unauthorized access of ePHI maintained in a data warehouse— 45 C.F.R. § 164.502(a)
Beyond the OCR Fine
As with most large breaches, the settlement agreement included a corrective action plan (CAP) with Anthem. The settlement
amount was a whopping $16 million, the largest ever, and the
CAP will likely take approximately t wo years or longer to complete. As severe as this may be, this was not the end of the financial pain for Anthem.
The costs to Anthem go far beyond the $16 million OCR settlement agreement. Anthem paid $2.5 million to retain expert
consultants to investigate the breach, $115 million to improve
security within the organization as the result of a class action
lawsuit, 2 $31 million to provide individual notification along
with notification to the general public, and an additional $112
million for 24 months of credit monitoring for the 19. 1 million
individuals who were able to demonstrate that their personal
information was stored in the data center that was hacked.
Reading the Fine Print
The irony in looking back at this massive breach is that Anthem took the time to invest in HITRUST Certification in 2013.3