On Jan. 29, 2015, health benefits provider Anthem, Inc. discovered that its IT systems had been hit with an advanced persistent threat (APT) designed to exfiltrate data. The cyber attack exposed the electronic protected health information (ePHI) of almost 79 million people, making it the largest healthcare data breach in history.
In October 2018, Anthem agreed to pay $16 million in fines to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for violations of the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). The settlement was the largest in history, eclipsing the previous high of $5.55 million. Additionally, Anthem agreed to take corrective action to ensure compliance with HIPAA rules.
Under HIPAA, healthcare organizations must maintain patient privacy and implement security controls for medical records and other forms of ePHI.
The baseline controls mandated by the law are designed to reduce the risk of a data breach that “compromises the security or privacy” of healthcare data.
These rules also apply to third-party “business associates” such claims processors, CPA firms, attorneys, consultants, independent medical transcriptionists, pharmacy benefits managers and others that have access to ePHI. When business associates receive ePHI, they become liable for the unauthorized disclosure of that information.
The breach for Anthem was the largest healthcare data breach in history, with the data of 79 million people exposed.
Multimillion-dollar HIPAA violation fines are increasingly common as healthcare organizations grapple with escalating cybersecurity threats. The OCR recently announced a $3 million settlement with Touchstone Medical Imaging for a 2014 data breach exposing more than 300,000 records. Cottage Health recently agreed to pay a $3 million fine and implement a corrective action plan related to two data breaches involving more than 55,000 records.
The healthcare sector suffers more data breaches than any other industry.
According to HealthITSecurity.com, more than 25 million healthcare records were potentially exposed in the first half of 2019 alone. The motivation behind these breaches is primarily financial — the data can be used gain access to services, and to obtain devices and prescription medications that can be resold. A report from Trustwave found that one healthcare record was worth up to $250 on the black market, almost 50 times more than a payment card number.
These threats make HIPAA compliance critical. At minimum, healthcare organizations and business associates must control access to ePHI and issue unique credentials for each authorized user so access can be tracked in an audit trail. They are also required to conduct regular risk assessments, develop a risk management policy that addresses threats to ePHI, and have procedures for identifying and responding to security incidents.
Healthcare data breaches are often the result of human error
Employees fall for a phishing attack or fail to follow proper procedures for storing and sharing data. That’s why it’s important to go beyond HIPAA rules and implement strong network and end-user protections.
Global Data Systems has a proven track record of success helping healthcare organizations and business associates ensure the privacy and security of ePHI. Our consultants can help you develop a cybersecurity strategy that leverages our fully managed security solutions and expert monitoring and incident response capabilities. Our managed SD-WAN services work in concert with these solutions to enable the secure transmission and sharing of sensitive data.
Don’t let a data breach damage your reputation and put you at risk of hefty HIPAA penalties. GDS can help you implement the right solutions to meet regulatory requirements and protect your organization from cyberattack.