Anthem, Inc. has agreed to pay a record setting $16 million to HHS and take substantial corrective action to settle a HIPAA breach assessment. This comes after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

In addition to the impermissible disclosure of electronic protected health information (ePHI), HHS’ investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014.

Also, the SEC announced investigations focused on the internal accounting controls of nine publicly traded companies that were victims of spoofing from persons purporting to be company executives or vendors. Each of the nine companies lost at least $1 million; two lost more than $30 million.

In total, the nine companies lost nearly $100 million to the perpetrators, almost all of which was never recovered. The SEC decided to not take any enforcement action against the nine companies they investigated, the SEC’s report indicated that they were not implying that every company is a victim of a cyberattack or scam, but it did state, “What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.”

The SEC emphasized the importance of all of the company’s employees to watch for the cyber threats and to be vigilant. Similarly, HHS expects companies to perform risk analysis and incorporate those results into a process for implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level as required by the Security Rule.

In the interim, it looks like it’s a good time to remind clients that cyberattacks and security requirements come from varied sources. Regular updates on threats and security procedures are important to protect data and a company.

Did you know?

PrimePay is capable of providing assistance with development of a HIPAA Privacy Policy. 

Email compliance@primepay.com to learn more!