What Happened: In January 2015, Anthem discovered that cyber-attackers had gained access to its system via phishing emails. At least one employee of an Anthem subsidiary responded to a malicious email, thus opening the entire IT system to hacker access. In less than two months via their targeted and undetected attack, the hackers managed to steal the electronic protected health information (ePHI) of roughly 79 million individuals, the largest health data breach in US history. Anthem agreed to the aforementioned $16 million settlement and a robust corrective action plan.
Takeaway for ASCs: This attack represents a startling illumination of how small incidence of lax cybersecurity and access detection can have devastating effects. The hackers were targeting ePHI, and it took only one response to a phishing email to expose the whole health IT infrastructure. Furthermore, Anthem was not able to detect the intrusion and allowed the hackers time to mine the system for the maximum amount of ePHI. It is vital for all health care entities, including ASCs, to train their employees on the risks of phishing emails and other common nefarious data attack vehicles. In addition, ASCs should have access detection mechanisms in place and regularly evaluate their data security policies to ensure the elimination of any possible vulnerabilities.
What Happened: Advanced Care Hospitalists (ACH), a company that provides contracted internal medicine physicians to hospitals and nursing homes, allowed a fraudulent contractor to access and display patient information under the guise of a medical billing contract. The contractor had no connection with any medical billing agencies and displayed ePHI—including names, dates of birth, and social security numbers—of potentially thousands of patients in public view on the ACH website. ACH agreed to a $500,000 settlement and a substantial corrective action plan.
Takeaway for ASCs: As ASCs contract with several outside entities for various business and technology processes, they must have a stringent contractor vetting policy and sound business associate agreements. When an ASC gives an external individual or organization access to its patient information, it must consider that external agent to be a potential vulnerability as part of a HIPAA risk analysis.