Anthem is one of the largest insurance providers in the United States. Unfortunately in 2015, they had the dubious honor of suffering the largest health data breach in history. It left protected health information of nearly 79 million of their customers exposed.
As a result, a division of the US Department of Health and Human Services called the Office for Civil Rights (OCR), levied the largest fine against the company in the agency’s history. They were fined a staggering sixteen million dollars.
An investigation into the matter revealed that Anthem had not put sufficient safeguards in place to protect patient data. As a result, hackers were able to breach the system via a phishing attack and make off with customer names, addresses, dates of birth, social security numbers, email addresses and employment information.
The Director of OCR, Roger Serverino, had this to say:
“The largest health data breach in US history fully merits the largest HIPAA settlement in history. Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Tim Sadler, the CEO of Tessian, added the following:
“During the three years since the Anthem breach took place, spear-phishing attacks have increased significantly in their indistinguishability and effectiveness. Yet human error has remained inherent, inevitable, and largely ignored as a security vulnerability by organizations.”
He concluded his remarks by pointing out that advanced AI algorithms and machine learning could be employed to help spot the kinds of attacks used to such great effect against Anthem, in order to minimize the risks going forward.
If your business is in any way connected to the healthcare industry, this approach certainly bears further investigation.
The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to help prevent such breaches.