A few years ago, health insurance giant Anthem suffered America’s largest reported data breach. The breach had begun in January 2014 after an employee opened a phishing email containing malicious content. With this malicious code, the hacker gained remote access to dozens of Anthem systems within the enterprise. After a year of searching, the hacker eventually accessed the company’s enterprise warehouse. This gave them access to 78.8 million unique user records. The news was announced by the company in February 2015.
Potentially exposed data included names, medical ID’s, Social Security numbers, dates of birth, email addresses and street addresses. Also potentially at risk was employment details. The breach affected a vast variety of the organisations’ affiliated brands, including Unicare, Healthlink and Anthem Blue Cross.
The stolen data never surfaced publicly. Nevertheless, once disclosed, the breach heralded years of chaos for the company as individual litigants and regulators alike sought compensation for the incident. With over 100 lawsuits emerging across the country, the individual litigants eventually brought a nationwide class action.
This week the claim was finalised, with Anthem set to pay a record $115 million in settlement. While this deal was decided in late 2017, it was only recently approved by US District Judge Lucy Koh. The settlement includes a $16 million fine to the government as restitution.
This restitution money will go towards paying for two years of credit monitoring and identity theft protection for victims, according to the lawyers. Anthem must also conduct a thorough risk analysis of potential vulnerabilities to the confidentiality, integrity and availability of Anthem’s health information. The company must then review and revise its written data security policies and procedures and provide the Department of Health and Human Services (DHHS) with annual reports on compliance. Essentially, Anthem will be focussing on beefing up its information security using various data security controls and encryption methods.
Proportionality was an important consideration for the DHHS, noting that the “largest health data breach in US history fully merits the largest HIPAA settlement in history”. According to the victims, the company “failed to properly protect personal information in accordance with their duties, had inadequate data security, and delayed notifying potentially impacted individuals.”
Every day, news breaks about another company breach. According to Threatpost’s Tara Seals, this is “part of the new normal, as cyberattackers continue to hone their tactics and widen their target areas”. Indeed, the Identity Theft Resource Centre (ITRC) found that a record number of data breaches were found in 2017, with 1,579 incidents representating a 44% increase in figures reported for 2016.
Organisations must bolster their physical and technological security systems as well as training their staff about prevention against these types of breaches. Threat planning and management is becoming an increasingly important aspect of running a successful and safe business. In response, Agilient’s consultants are highly skilled in thoroughly analysing and reporting a business’s security. Contact our experts today to ensure the safety of your information, and follow us on LinkedIn for regular security updates.