Anthem in Record $16m HIPAA Settlement

Healthcare insurance giant Anthem has agreed to pay a record $16m settlement to the US government after a major 2015 breach affecting nearly 79 million customers.

The Blue Cross and Blue Shield Association licensee is one of the biggest providers in the country, but apparently failed to properly secure its infrastructure as required by the Health Insurance Portability and Accountability Act (HIPAA).

Attackers managed to infiltrate the organization through spear-phishing emails sent to a subsidiary, obtaining names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

It is said to have failed to have adequately tightened access controls, conducted an enterprise-wide risk analysis, regularly reviewed system activity and put in place effective incident detection and response capabilities.

“The largest health data breach in US history fully merits the largest HIPAA settlement in history,” said Roger Severino, director of the US Department of Health and Human Services, Office for Civil Rights (OCR). 

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Tim Sadler, CEO at Tessian, argued that machine learning technologies can help to spot phishing emails which human error might otherwise allow through.

“During the three years since the Anthem breach took place, spear-phishing attacks have increased significantly in their indistinguishability and effectiveness. Yet human error has remained inherent, inevitable and largely ignored as a security vulnerability by organizations,” he added.

“As long as these conditions continue, spear-phishing will be used, and used effectively, by bad actors.”

What’s Hot on Infosecurity Magazine?