HIPAA and PHI: What Happened After the Anthem Breach
In 2014, a cybersecurity incident affecting Anthem, Inc. began its journey to becoming a game-changing data breach. The PHI data breach would come to change the face of how we view data breaches in healthcare and raise the bar of HIPAA fines.
The breach itself was not disclosed to the world until a year later. On 4 February 2015, Anthem announced that 78.8 million records of Protected Health Information (PHI) were exposed. These included names, addresses, birth dates, Medical IDs, and Social Security Numbers (SSN). A letter was duly sent out to affected individuals as per the HIPAA requirement for breach notification.
The Anthem PHI breach has rumbled on ever since. Lawsuits, as well as HIPAA non-compliance actions, ensued. A class-action lawsuit, consolidated from 100 separate cases, has cost Anthem $115 million. The company has also spent around $260 million on remedial security measures. In terms of HIPAA fines, Anthem paid out $16 million to HHS. This was the largest in the history of fines paid to OCR.
So why did this happen, and how can you make sure you don’t end up in this kind of situation?
Analyzing the Causes
It is always useful to look back at the events that caused a data breach; forewarned is forearmed. In the case of Anthem, there seems to have been a long and slow exposure of PHI. But who perpetrated the theft and how exactly did they do it?
The cybercriminals behind the cyberattack on Anthem have since been identified as being state-sponsored, the alleged state being China. A number of hackers have been charged with conspiracy to commit fraud, identity theft, and computer hacking.
The Department of Justice stated that the “defendants used sophisticated techniques to hack into the computer networks of the victim businesses without authorization”.
How they carried out the cyber-attack is interesting. It shows us an insight into the multiple parts of a modern-day cyber-attack used to execute an end goal, in this case, steal vast amounts of ePHI. To expose and steal the Anthem PHI, the hackers used:
Phishing: Post-breach analysis on Anthem, identified the attack began with stolen credentials. This was most likely via spear-phishing. This form of highly targeted phishing is common in data breaches and behind some of the most well-known PHI breaches, including Primera Blue Cross. Organizations such as ThreatConnect have analyzed the attack and believe it originated with Anthem subsidiary, Amerigroup. The phishing email carried a malicious attachment that when downloaded, infected the target machine with malware. The malware was able to set up a ‘command and control’ allowing it to be controlled remotely.
Privileged Access Issues/Privilege Escalation: Once inside, the cybercriminals were able to remotely manipulate system settings and escalate their access privileges, allowing them into more sensitive areas of a network.
Inadequate Security Measures: Anthem has been criticized for having lax policies and security measures in place, including using poor overall security audit and risk assessment. This was instrumental in allowing the malware to execute.
What Affected the Severity of the HHS Sanction?
After the Anthem breach, multiple industry bodies and the U.S. government analyzed the outcome. This included NAIC and Senate Health, Education, Labor and Pension Committee. The OCR’s own analysis came up with the following statement:
“Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent cyber-attackers from accessing sensitive ePHI”
To break that down, Anthem was severely lacking in the following key areas:
No system-wide risk analysis - Anthem did not carry out risk analysis, including penetration testing. Meaning that the company would have been unaware of the levels of risk to patient ePHI.
No robust activity audit or monitoring - If Anthem had implemented a good activity monitoring system, they may have been aware of the long-standing malware installation going back to early 2014.
Poor security incident response measures
Lack of least privilege access controls to ePHI - having an awareness of what kinds of ePHI are held and where ePHI is located allows an organization to establish access on a need to know basis and use the principles of ‘least privilege’. This plays a part in helping to minimize the risk of data exposure.
Ultimately, it was a mosaic of failures that caused the Anthem data breach and contributed to the biggest HIPAA fine in history.
Reduce the Risk of Another Anthem Level Breach
No organization wants to face what the staff of Anthem faced. Breach notification and post breach remediation is a long drawn out process. As you can see from the figures, Anthem paid heavily. But they have also set a new bar in terms of HIPAA fines. To stay in compliance with HIPAA you should:
1 - Know your Data
The starting point of ensuring you have good information governance and know your data. What type of ePHI do you have? Where is it stored? Where does it flow from and to? (You could use this ePHI Audit Guide to start your analysis.)
2 - Good Monitoring and Auditing
A modern IT extended network is like a biological system, it almost breathes data; ePHI can flow across myriad apps and endpoints. Using robust monitoring and audit can help you to not only protect against breaches but also help in risk assessment if the worst should happen.
3 - Carry Out PEN Tests across Systems
Penetration testing is used to search for vulnerabilities across your network. It can help you to close off security gaps.
4 - Use the Right Security Measures
Having good security measures such as robust authentication and data leak prevention can help to minimize risks and prevent ePHI leaks.
5 - Apply Privileged Access Control
Use the principle of least privilege to determine your best data access governance policy and apply it.
6 - Security & Compliance Awareness Training
Make sure that your employees understand what HIPAA compliance requires. Also, make them security aware by carrying out training across the entire organization.
A Final Anthem?
Anthem has paid heavily for the data breach of 2014/2015 but fortunately weathered the storm. The lack of attention to security and poor information governance led to a series of unfortunate events linked to a spear-phishing attack.
This should never have happened. With the right measures in place, the attack may have been at least contained quickly, but it also could have been prevented.