Breaking Records: Anthem Pays the HHS Office for Civil Rights $16 Million in Record HIPAA Settlement
Anthem Inc., a licensee of the Blue Cross Blue Shield and one of the largest health insurance companies in the nation, has agreed to pay the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) a record $16 million greatly surpassing the previous high of $5.55 million paid to OCR in 2016. This record-breaking settlement is the result of a 2015 data breach that compromised the personal information of about 79 million people. What caused the largest U.S. health data breach in history? Cyber-attacks through spear phishing emails.
On January 29, 2015, Anthem discovered hackers had gained access to their IT system through spear phishing emails sent to one of their subsidiaries. Those emails contain an urgent message and a link for the recipient to click on. At least one employee clicked on the link contained in the malicious email and opened the door to further attacks. After Anthem filed their breach report, OCR began their investigation which revealed that hackers had infiltrated the Anthem system and extracted the data of about 79 million people between December 2014 and January 2015. The compromised information included names, addresses, dates of birth, email addresses, medical identification numbers and employment information as well as more sensitive information such as Social Security numbers.
After the settlement went public, OCR Director Roger Severino acknowledged that large health care entities are “targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.” According to the 2018 Black Hat Hacker survey report, corporate operating systems and endpoints are vulnerable to threats from hackers and cyber criminals. The report, which surveyed 300 hackers at the annual Black Hat conference, notes 50% of hacking incidents have uncovered employees’ re-use of passwords that were previously exposed in other data breaches, providing a pathway into the network.
HIPAA requires patient information to be properly protected by those that come into contact with it and University policy requires all employees to practice proper email and password management. Here are essential tips for safeguarding your accounts:
- Use strong passwords – do not use familiar names, personal information or easily guessed passwords such as “password” or sequences “12345.”
- Change passwords frequently (at least every 90 days) to prevent unauthorized users from using automated tools to guess your password.
- Do not share your credentials with anyone.
- Use Multi-Factor Authentication (MFA) which creates a layered defense against unauthorized users accessing your information.
- Minimize the use of your UM email address in online submissions to reduce spam.
- Do not give out your email address arbitrarily.
- Never click on links or open files that appear suspicious or are from an unknown source.
- Verify that the sender’s email address is authentic!
- Delete spam, chain, clutter and other junk email.
- Do NOT forward and do NOT reply to spam or junk mail.
It is important to remember that you are entrusted with maintaining the privacy of our patients, employees, students, donors and research participants. If you suspect you have received a phishing email or that your email has been compromised, immediately contact the UMIT Help Desk at (305) 243-5999 or firstname.lastname@example.org.