3 min read
When it comes to catching business associates that violate HIPAA , authorities are quick to dole out fines in the millions of dollars to companies that have flaunted the rules. This is precisely what happened with the 2015 Anthem breach where the second-largest health insurance provider in the world (after Blue Cross Blue Shield) paid a $16 million HIPAA fine and settled a class-action lawsuit for $115 million. The fallout continues today, five years later. The company has recently settled to pay out an additional $40 million to 44 different states as a result of further investigations and litigation into damages.
Background
Back in 2015, we wrote an article about Anthem's enormous class-action lawsuit and did some simple math for you: since 80 million people are covered through Anthem, that means that around a quarter of the United States of America had their protected health information (PHI) , such as names, birthdates, social security numbers, and medical identification, leaked. This was a result of Anthem not encrypting their databases, and we've certainly learned a lot about encryption since then. In fact, entire products have been developed to maintain encryption standards in order to remain HIPAA compliant while using digital tools.How Anthem got hacked
The cause of this particular hack was due to an advanced persistent threat (APT) linked to a Chinese foreign threat actor that gained initial access in February 2014 when an employee opened a phishing email which was not internally discovered until January 2015 after the hacker had already exfiltrated a large amount of unencrypted PHI. In this instance, a user within one of Anthem’s subsidiaries opened a phishing email with the URL: http://www.we11point.com which was a misnomer of the outdated http://www.wellpoint.com . This is a prime example of domain spoofing, a common tactic in phishing attacks. These types of breaches are common for large organizations with significant amounts of lucrative data. The average cost of a single healthcare record on the black market is $363. A report by cybersecurity firm Mandiant found that Anthem could take some additional steps to prevent future attacks by:- Training employees to identify phishing emails
- Deploying a robust spam filter that detects malware and suspicious emails
- Deploying a web filter that blocks connections to malicious content
- Using security policies that require password expiration, renewal, and complexity such as two-factor authentication
What is happening now
While Anthem agreed to pay a $16 million HIPAA fine, a further $115 million in lawsuits was also paid out to fund two years of credit monitoring for victims as well as other breach-related expenses. The most recent settlement of $40 million will be paid out to 44 states, with money allocated according to the number of individuals affected in the state. In addition to the multi-state settlement, new provisions include the prohibition against misrepresentation about Anthem’s privacy, updated security monitoring for PHI, as well as a comprehensive security program with zero trust architecture .Why you should contract with a HIPAA-oriented service
If this example is not enough to make you consider going with a proven service that can secure patient data, then we don’t know what will. Anthem could have saved hundreds of millions of dollars if it had just encrypted PHI from the get-go. While Anthem has gone through a massive IT security overhaul during the last few years, this latest class action lawsuit shows that the fallout from these kinds of situations can last for years. It’s better to prevent the breach in the first place. By working with a HIPAA compliant email provider, you avoid the potential risks of leaked PHI that can result in severe damages and fines that might sink a smaller company without nearly as many resources as the second-largest health insurance provider in the nation. For example, the Paubox Email Suite Plus includes two key features that can effectively mitigate email phishing risks:- Inbound Security: Robust spam, virus, ransomware, and phishing protection that stops threats before they reach your inbox
- ExecProtect: Patented protection from display name spoofing attacks, preventing hackers from impersonating your CEO or other company leaders to trick employees into compromising your security
