1
Anthem Inc. HIPAA Violation
June 21, 2021
Anthem Inc. HIPAA Violation
Case Analysis
Anthem, a healthcare insurance provider situated in the US, is among some of the organizations that have violated HIPAA laws. Based on OCR (2018) illustrations, the incorporation paid sixteen million US Dollars and committed to take extensive remedial measures to address alleged HIPAA breaches after a sequence of hacks resulted to the biggest infringement of U.S. health information in ever. An estimate of 79 million Electronic Protected Health Information (ePHI) which included name and medical IDs were stolen.
HIPAA Privacy and Security Rules Violated
Some of HIPAA regulations desecrated by Anthem Inc. included hackers (unauthorized persons) accessing PHI through Anthem’s database, failing to carry out a risk analysis as well as managing confidentiality, integrity and availability risks of PHI and failing to device defense mechanisms that wound ensure the discretion, integrity and availability of PHI. Additionally, ePHI belonging to the 79 million patients were not encrypted or Anthem didn’t apply equivalent measures that would help in preventing the hackers from accessing the data. The attacks began on 2014 and were discovered in 2015 and yet Anthem didn’t implement adequate access measures that would help in preventing ePHI from being accessed. Information stolen by hackers included the names of individuals and their health insurance IDs.
Penalties Imposed
Several penalties were imposed to Anthem Inc. including paying sixteen million Dollars to the office of civil rights (OCR) in the 2018. Also, because of the filed litigations and lawsuits following the breach, for patients whose health information was stolen the company had to pay one hundred and fifteen million Dollars. The total cost paid by Anthem Inc. for violating HIPAA privacy and security laws including HIPAA state laws was one hundred and seventy-nine million Dollars. The sanction included a $48.2 million cash penalty. OCR required Anthem Inc. to include preventive measures to enhance data security standards.
Health System Improvement Plan
Components
Subcomponents and roles
Anthem Health system leadership and governance
Responsible for electronic health information, legal and regulatory framework, information requirements and health system leadership and management
Anthem Health system management
Evaluating and monitoring of health system, mobilizing resources, and continuous professional development.
ICT infrastructure
Responsible for maintaining, infrastructure and communication networks
Interoperability of systems and data
Includes data management, network segmentation, data encryption and surveillance of information system doings.
Quality of data
Assurance of quality data
Data usage
Strategies on how data should be used, accessed, use proficiencies and impacts
Risk analysis strategy
Threat
Vulnerability
Asset
Consequences
Likelihood
Control
Data breach
Less protection
...
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
1Anthem Inc. HIPAA ViolationJune 21, 2021
1. 1
Anthem Inc. HIPAA Violation
June 21, 2021
Anthem Inc. HIPAA Violation
Case Analysis
Anthem, a healthcare insurance provider situated in the US, is
among some of the organizations that have violated HIPAA
laws. Based on OCR (2018) illustrations, the incorporation paid
sixteen million US Dollars and committed to take extensive
remedial measures to address alleged HIPAA breaches after a
sequence of hacks resulted to the biggest infringement of U.S.
health information in ever. An estimate of 79 million Electronic
Protected Health Information (ePHI) which included name and
medical IDs were stolen.
HIPAA Privacy and Security Rules Violated
Some of HIPAA regulations desecrated by Anthem Inc. included
hackers (unauthorized persons) accessing PHI through Anthem’s
database, failing to carry out a risk analysis as well as managing
confidentiality, integrity and availability risks of PHI and
failing to device defense mechanisms that wound ensure the
discretion, integrity and availability of PHI. Additionally, ePHI
belonging to the 79 million patients were not encrypted or
2. Anthem didn’t apply equivalent measures that would help in
preventing the hackers from accessing the data. The attacks
began on 2014 and were discovered in 2015 and yet Anthem
didn’t implement adequate access measures that would help in
preventing ePHI from being accessed. Information stolen by
hackers included the names of individuals and their health
insurance IDs.
Penalties Imposed
Several penalties were imposed to Anthem Inc. including paying
sixteen million Dollars to the office of civil rights (OCR) in the
2018. Also, because of the filed litigations and lawsuits
following the breach, for patients whose health information was
stolen the company had to pay one hundred and fifteen million
Dollars. The total cost paid by Anthem Inc. for violating HIPAA
privacy and security laws including HIPAA state laws was one
hundred and seventy-nine million Dollars. The sanction
included a $48.2 million cash penalty. OCR required Anthem
Inc. to include preventive measures to enhance data security
standards.
Health System Improvement Plan
Components
Subcomponents and roles
Anthem Health system leadership and governance
Responsible for electronic health information, legal and
regulatory framework, information requirements and health
system leadership and management
Anthem Health system management
Evaluating and monitoring of health system, mobilizing
resources, and continuous professional development.
ICT infrastructure
Responsible for maintaining, infrastructure and communication
networks
Interoperability of systems and data
Includes data management, network segmentation, data
encryption and surveillance of information system doings.
Quality of data
3. Assurance of quality data
Data usage
Strategies on how data should be used, accessed, use
proficiencies and impacts
Risk analysis strategy
Threat
Vulnerability
Asset
Consequences
Likelihood
Control
Data breach
Less protection
Data
Stealing of electronic protected health information
High
Protection of data using measures such as encryption.
Misuse of information
Less protection
Data
Misuse of stolen patient data
High
Data recovery competence
Identify threat, social engineering
Patient info isn’t protected
Patients
Violation of HIPAA privacy and security rules. Penalties.
High
Controlled access, monitoring of the account, training of
security and IT personnel, background screening
Dos, Botnets and hardware manipulation
Virus, failure to update the system
Infrastructure
Stealing of patients and company data
High
4. Malware defense, control of privileged access, configuring
securely and portfolio
Software manipulation, information system misuse and
installation of corrupt software
Virus, illiteracy in system use
Applications
Data theft
Medium
Protection of emails and browsers, securing configuration.
Application of learned lessons
The security breach comes at an inopportune moment for
Anthem, which has placed its reputation on employing cutting-
edge technology to help people monitor their wellness and
traverse the healthcare system. HIPAA lessons from this case
include the importance security audit, training employees,
having firewalls and encrypting patient data. Security audit
includes doing a HIPAA risk assessment regularly, while data
encryption includes putting passwords and other security
mechanisms to have patient data safe at all times. In cases
where a breach is discovered, it’s essential that the involved
organization notifies the law enforcement and related bodies.
Based on the case, it’s true to note that the health sector should
be always be more vigilant about protection of personal,
medical, and financial data in their control.
References
Morse. S. (2018). Anthem pays $16 million in record HIPAA
settlement for data breach. Healthcare Finance.
https://www.healthcarefinancenews.com/news/anthem-pays-16-
million-record-hipaa-settlement-data-breach
US Department of Health and Human Services. (2018). Anthem
pays OCR $16 million in record HIPAA settlement following
largest US health data breach in history.
https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-