The clash between the stringent privacy requirements of HIPAA and the known vulnerability of most cyber systems creates a host of anxieties for most modern medical care providers. The Health Insurance Portability and Accountability Act requires that medical providers and insurers take reasonable precautions to ensure that the medical information of their patients remains private. At the same time, it is increasingly apparent that almost all cyber information systems have at least a few vulnerabilities, even if only through their users, and few systems can withstand a dedicated, concentrated cyber assault.
The Anthem Hack
Anthem, Inc., the company that owns Blue Cross Blue Shield, discovered this the hard way. In 2015, the company disclosed that it had fallen victim to cyber criminals. Using spear-phishing attacks, hackers had obtained system administrator access to Anthem’s computer systems and gained access to the health information of almost eighty million current and former customers of the insurance company. Forensics determined that the hackers had probably had access to the system for several weeks, if not more, and also indicated that the sophisticated nature of the attack suggested the involvement of a foreign government.
Consequences for Anthem
Anthem immediately found itself facing two different legal actions. A civil class action lawsuit was filed against the company on behalf of consumers who had their records breached. The litigation was ultimately held in the Nothern District of California. The company settled the lawsuit for $115 million in 2017, but the settlement was only approved by the Court in August of 2018. Many criticized the settlement as, after deducting legal fees and expenses, victims would only receive a few dollars in compensation. At the same time, the suit represented the largest ever settlement of a data breach lawsuit at the time it was reached.
Additional Action From Dept. of Health & Human Services
Contemporaneously, the Department of Health and Human Services brought a regulatory action against Anthem, Inc. (DHHS is the federal department responsible for enforcing HIPAA) The department charged Anthem with failing to meet minimum standards for protecting consumer data under HIPAA. Ultimately, Anthem agreed to pay DHHS $15 million in lieu of fines to resolve the action. The $15 million settlement triples the previous largest ever “fine” paid to the government in a HIPAA case.
Cyber Insurance Protects Businesses From Ongoing Costs Of A Cyber Breach
As part of both actions, Anthem Inc did not admit wrongdoing but did agree to a host of improved security measures, including encryption protocols and ongoing system monitoring. The payouts from the two legal actions will equal $130 million, plus the company’s own legal fees, as well as significant costs related to reputational damage, loss of goodwill, and notification costs. Cases like these are a good reminder of the high costs of cyber attacks and the need to protect your business and your customers to the best of your abilities. READ MORE: 3 Ways Cyber Insurance Improves Cybersecurity
For A Fast Quote, Visit