In 2015, Anthem, Inc. (“Anthem”) discovered that criminal hackers had breached its electronic database and gained access to over 79 million records, including the records of at least 12 million minors. The protected health information obtained by the hackers included, among other information, names, addresses, dates of birth, medical IDs, and Social Security numbers. The hackers were able to gain access to the information by using a “spear phishing” email technique. At least one employee received a phishing email and responded to it, allowing the hackers to gain remote access to the employee’s computer and at least 90 other systems, including Anthem’s data warehouse.
Although the massive data breach was first discovered in January 2015, the breach actually began on February 18, 2014 – meaning the breach went undetected for almost a whole year. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who gained access to their system to harvest passwords and steal people’s private information,” said Office of Civil Rights (“OCR”) Director Roger Severino.
Anthem has agreed to pay $16 million to the Department of Health and Human Services’ (“HHS”) OCR and take corrective action to prevent potential violations of HIPAA rules in the future. While other breaches like this have occurred in the past, this was the largest health data breach in U.S. history, and the $16 million settlement is now the largest HIPAA settlement in history.
Under the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by HITECH, covered entities and their business associates are required to safeguard protected health information. Under this rule, covered entities and business associates must: 1) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 2) identify and protect against reasonably anticipated threats to the security or integrity of the information; 3) protect against reasonably anticipated, impermissible uses or disclosures; and 4) ensure compliance by their workforce. To satisfy these requirements, health care entities and their business associates must implement appropriate measures that include, without limitation, comprehensive policies and procedures to ensure the security of patient health information, training, and risk assessments to identify and address any system vulnerabilities.
Despite an entity’s best efforts to protect electronic health information, the weakest link for cybersecurity is typically the individual users, as was the case with Anthem. Workforce members should be educated and regularly trained on identifying potential cyber threats and ways in which to avoid potential security compromises, such as what to do when a phishing email is received. When users know not to click on malicious links, open unfamiliar emails, or insert any untrusted USB drives into their computers, it substantially reduces the chances of a breach.
Health care entities are a large target for cyberattacks. Therefore, it is critically important that health care entities and their business associates take appropriate steps to protect electronic health information. If you or your healthcare entity has any questions about safeguarding electronic health information, how to remain compliant with HIPAA and HITECH, or any other related questions, please contact an experienced healthcare attorney at (248) 544-0888, or via email at firstname.lastname@example.org. You may also subscribe to our health law blog by adding your email at the top right of this page.