Anthem is back in the news with another payout – this time to 44 states and the District of Columbia, paying $39.5M because of their 2014 breach of 78.8M patient’s most critical information. We’ve mentioned Anthem a few times before, notably because they obtained a HITRUST Cyber Security Framework (CSF) certification just before their breach and because we want to show the return on the investment of a properly resourced HIPAA Security (and Privacy) program. We’ve frankly lost count of the monies Anthem has (unfortunately) paid out and the number of new strategies Anthem has promised to deploy (e.g. a zero-trust architecture, etc.) in support of a robust information security program. This settlement is the largest paid out that we can recall and is most likely just a piece of the litigation costs associated with the breach.
Tennessee-based Community Health Systems (CHS) has agreed to pay out up to $5M amongst 28 states resulting from their 2014 breach. Notably, CHS has already agreed to a $2.3M Office of Civil Rights two-year corrective action plan. Like Anthem, CHS has also agreed to implement a security program to protect their clients’ information.
In both cases, a well-executed risk assessment may have better prepared these companies to understand their vulnerabilities and to mitigate identified risks to prevent a breach. Secondarily, a strong compliance program can defend a breached company by demonstrating due diligence. There is more to a risk assessment than assessing risk, which is why so many companies advising healthcare clients ask to start with a risk assessment. Click the graphic below if you have considered a risk assessment but did not know where to start.
Stay (HIPAA) safe,