Anthem’s record-breaking data breach settlement on Monday has put providers and insurers on notice that ignoring cybersecurity risks could come with a hefty pricetag.
The nation’s second-largest insurer will pay HHS’ Office for Civil Rights $16 million over a 2015 data breach that affected almost 79 million people, the largest data breach ever reported to the agency. Other healthcare organizations face similar threats, especially if they have large sets of data that can entice hackers, according to cybersecurity experts.
“The security risk analysis is not a check-the-box activity,” said Beth Pitman, counsel for law firm Waller Landsden Dortch and Davis. “It needs to be updated regularly and incorporated into the business processes of the entity.”
Data breaches put members’ and patients’ privacy at risk, and they can damage organizations’ reputations. OCR Director Robert Severino noted on Monday that a “breach of trust” calls for a large penalty.
Before Anthem’s whopping $16 million penalty, OCR’s highest fine was $5.5 million—levied against Memorial Health System in 2017 for a breach that affected more than 115,000 people.
In Anthem’s case, hackers sneaked into the network to steal names, birthdates, Social Security numbers, home addresses and other information of current and former members and employees.