5-2
Orange_crush
Wk4Assign1DavisA.docx1
Anthem Inc. HIPAA Violation
June 21, 2021
Anthem Inc. HIPAA Violation
Case Analysis
Anthem, a healthcare insurance provider situated in the US, is among some of the organizations that have violated HIPAA laws. Based on OCR (2018) illustrations, the incorporation paid sixteen million US Dollars and committed to take extensive remedial measures to address alleged HIPAA breaches after a sequence of hacks resulted to the biggest infringement of U.S. health information in ever. An estimate of 79 million Electronic Protected Health Information (ePHI) which included name and medical IDs were stolen.
HIPAA Privacy and Security Rules Violated
Some of HIPAA regulations desecrated by Anthem Inc. included hackers (unauthorized persons) accessing PHI through Anthem’s database, failing to carry out a risk analysis as well as managing confidentiality, integrity and availability risks of PHI and failing to device defense mechanisms that wound ensure the discretion, integrity and availability of PHI. Additionally, ePHI belonging to the 79 million patients were not encrypted or Anthem didn’t apply equivalent measures that would help in preventing the hackers from accessing the data. The attacks began on 2014 and were discovered in 2015 and yet Anthem didn’t implement adequate access measures that would help in preventing ePHI from being accessed. Information stolen by hackers included the names of individuals and their health insurance IDs.
Penalties Imposed
Several penalties were imposed to Anthem Inc. including paying sixteen million Dollars to the office of civil rights (OCR) in the 2018. Also, because of the filed litigations and lawsuits following the breach, for patients whose health information was stolen the company had to pay one hundred and fifteen million Dollars. The total cost paid by Anthem Inc. for violating HIPAA privacy and security laws including HIPAA state laws was one hundred and seventy-nine million Dollars. The sanction included a $48.2 million cash penalty. OCR required Anthem Inc. to include preventive measures to enhance data security standards.
Health System Improvement Plan
|
Components |
Subcomponents and roles |
|
Anthem Health system leadership and governance |
Responsible for electronic health information, legal and regulatory framework, information requirements and health system leadership and management |
|
Anthem Health system management |
Evaluating and monitoring of health system, mobilizing resources, and continuous professional development. |
|
ICT infrastructure |
Responsible for maintaining, infrastructure and communication networks |
|
Interoperability of systems and data |
Includes data management, network segmentation, data encryption and surveillance of information system doings. |
|
Quality of data |
Assurance of quality data |
|
Data usage |
Strategies on how data should be used, accessed, use proficiencies and impacts |
Risk analysis strategy
|
Threat |
Vulnerability |
Asset |
Consequences |
Likelihood |
Control |
|
Data breach |
Less protection |
Data |
Stealing of electronic protected health information |
High |
Protection of data using measures such as encryption. |
|
Misuse of information |
Less protection |
Data |
Misuse of stolen patient data |
High |
Data recovery competence |
|
Identify threat, social engineering |
Patient info isn’t protected |
Patients |
Violation of HIPAA privacy and security rules. Penalties. |
High |
Controlled access, monitoring of the account, training of security and IT personnel, background screening |
|
Dos, Botnets and hardware manipulation |
Virus, failure to update the system |
Infrastructure |
Stealing of patients and company data |
High |
Malware defense, control of privileged access, configuring securely and portfolio |
|
Software manipulation, information system misuse and installation of corrupt software |
Virus, illiteracy in system use |
Applications |
Data theft |
Medium |
Protection of emails and browsers, securing configuration. |
Application of learned lessons
The security breach comes at an inopportune moment for Anthem, which has placed its reputation on employing cutting-edge technology to help people monitor their wellness and traverse the healthcare system. HIPAA lessons from this case include the importance security audit, training employees, having firewalls and encrypting patient data. Security audit includes doing a HIPAA risk assessment regularly, while data encryption includes putting passwords and other security mechanisms to have patient data safe at all times. In cases where a breach is discovered, it’s essential that the involved organization notifies the law enforcement and related bodies. Based on the case, it’s true to note that the health sector should be always be more vigilant about protection of personal, medical, and financial data in their control.
References
Morse. S. (2018). Anthem pays $16 million in record HIPAA settlement for data breach. Healthcare Finance. https://www.healthcarefinancenews.com/news/anthem-pays-16-million-record-hipaa-settlement-data-breach
US Department of Health and Human Services. (2018). Anthem pays OCR $16 million in record HIPAA settlement following largest US health data breach in history. https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-us-health-data-breach
Vanderpool, D. (2019). HIPAA COMPLIANCE: A Common Sense Approach. Innovations in clinical neuroscience, 16(1-2), 38. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6450678/
