In our last blog, we looked at the impact of security breaches on the healthcare industry. This week, we will cover the top three health-care related data breaches over the past 10 years – namely, those from Anthem Inc., AMCA, and Premera Blue Cross, which represent a staggering 100,000,000 patient records exposed, more than $22 million in fines from HIPPA violations, and ongoing lawsuits of at least $115 million.
Our focus for this blog series at Access is to not to cause alarm, but rather to express the seriousness of healthcare security. We encourage your healthcare system to act now to mitigate potential vulnerabilities, considering the damage it causes to patients, families, and healthcare organizations. In recent years, Access has set the standard for healthcare eSignature third-party vendors with top-tier security standards. During initial audits, we were shocked to discover that our counterparts in the industry hold security scores that reflect major vulnerabilities, which could put entire health systems at risk. We encourage you to request a security audit for your top five vendors HERE or see for yourself on securityscorecard.com.
Let’s look at the top three security breaches in recent years and key takeaways.
Anthem Inc. – 2014
Patients Exposed: 78.8 Million
Total Penalties: $16 Million
Lawsuit Totals: $115 Million
The largest data breach to date, with over 78 million records exposed, occurred due to major security oversights at Anthem, Inc. The breach resulted in a $16 million payment to the Department of Health and Human Services Office for Civil Rights (OCR), due to violations of HIPPA and security protocols that should have been in place, and a record settlement of $115 million, which lawyers said would be the largest settlement ever for a data breach, according to NBC News. It was determined that Anthem’s security team failed to conduct an enterprise-wide risk analysis, had insufficient procedures for reviewing information system activity, and failed to identify or respond appropriately when they became aware of a hacker attack as early as February 18, 2014. According to the Anthem Resolution Agreement, repercussions for the company included the payment of $16,000,000, full disclosure of their terms and conditions, and compliance with a Corrective Action Plan.
AMCA, Optum360 & Quest Diagnostics – 2019
Patients Exposed $11.5 Million
Total Penalties: Case Pending
In May 2019, Gemini Advisory announced that over 200,000 patients’ credit card details were listed for sale on the dark web, likely stemming from a breach that occurred between September 2018 and March 2019 through AMCA (American Medical Collection Agency). AMCA provides billing collections services to Optum360, which is a Quest Diagnostics contractor. AMCA alerted Quest Diagnostics and Optum360 of the breach on May 14, 2019. According to a HIPPA Journal Publication, “AMCA suspects around 11.9 million Quest patients have been impacted by the breach. AMCA also confirmed the compromised system contained data from entities other than Quest Diagnostics.” While the investigation is still ongoing, CNBC confirmed in a statement from AMCA that unauthorized user access is being investigated as a potential cause. Furthermore, AMCA has removed its web payment portal and hired an external forensics firm to investigate, and has taken other proactive measures to increase system security.
Premera Blue Cross – 2014
Patients Exposed $11 Million
Total Penalties $6.8 Million
Lawsuit Totals: Unknown
In May 2014, hackers gained access to Premera Blue Cross’s (PBC) IT system through a phishing attack which led to the installation of spyware. For 9 months, hackers gained access to over 10 million individuals’ personal health information. OCR’s assessment of Premera Blue Cross found that the company was not meeting federal regulations and standards, including failure to conduct risk analysis, implement appropriate measures for security, or maintain internal audits. OCR’s Director, Roger Severino stated, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.” Consequently, Premera Blue Cross was required to pay the 2nd largest HIPPA fine of $6.8 million, agreed to a corrective action plan to include two years of monitoring, and invested $42 million to enhance its own information security. According to Alexanders Blog covering lessons learned from the PBC data breach, there were ample warnings from the FBI and the U.S. Office of Personnel Management that such an event could occur. “For almost 10 weeks, Premera did not respond to the warnings from the federal auditors, which included 10 recommendations to fix the vulnerabilities in Premera’s network. Three weeks after the warning, Premera was hacked in one of the largest healthcare data breaches in history.” Premera also failed to disclose security inaccuracies, which led to additional class action lawsuits.
Key Takeaways for the Top 3 Healthcare Security Breaches:
- There are numerous ways data breaches can occur, ranging from unauthorized access to human factors such as spyware through phishing attacks.
- It could be months between the time a breach has occurred to when it is discovered.
- Breaches are extremely expensive for the organizations involved.
- Poor security standards by a third-party vendor puts any business they’re associated with at risk.
- Simple security audits can provide useful insights into which venders need to strengthen their security measures and which are leaving you exposed altogether.
- Third-party audits and warnings can help you stop a breach before it occurs.
- In nearly all these cases, HIPAA and Security protocols were a leading internal cause.
- Failure to disclose HIPAA Violations can result in extremely large, ongoing class action lawsuits.
- It’s always better (and less expensive) to be proactive.
A final word from Access eForms CIO, Scott Fuller:
“We are here to help. We’re not an information security company, but we DO highly prioritize security. If you suspect there are practices in place with your current 3rd party vendor’s which may put your hospital at risk, we are here to help you take the first step in their accountability by providing a security audit of your vendors. This is a free service. We want to support a more secure healthcare environment, and by allowing us to help you hold other third party vendors accountable, we’re working together to do just that. In the report that we will generate from securityscorecard.com you’ll be provided with specific details of their security status and where to improve. Please take this offer, and the extensive report to your vendor to make them better – this is a simple first step to hold vendors accountable and keep PHI, and your patients more importantly, secure.”
Access eSignature is not a security company, but we put our security standards above all.
If you’d like to see the security scorecard for your vendors, we’ll be happy to send you a personalized report. Hop over to the Security Reports section of our site which you can find HERE and we’ll send you the customized report.