Tuesday, February 10, 2015

Anthem Data Breach and Due Diligence

Anthem is the second-largest health insurance company in the US, and when they reported being hacked recently, it was estimated that the healthcare information (and identities) of 1 in 4 Americans was compromised -- that's more than 80 million. To put that in perspective, in the decade previous to this breach, the HHS "wall of shame" identifies approximately 40 million identities compromised in breaches. The Anthem breach compromises twice as many identities as all other breaches combined.

The breach was detected on Jan. 27 and announced on Feb. 4. By Feb. 6, there had already been four lawsuits launched against anthem, alleging they "did not take adequate and reasonable measures to ensure its data systems were protected."

I mentioned in an earlier post that healthcare data breaches are quite lucrative for the criminal elements perpetrating or benefitting from them. I should also mention that data breaches in general are quite expensive to the organizations breached as well.

One estimate has Anthem on the hook for $100 million to $200 million just to fix vulnerabilities and/or damage done. However, costs may be much higher depending on whether Anthem can demonstrate due diligence. Most security experts regard data breaches as inevitable, but the investigation of data breaches by regulatory authorities will judge whether Anthem did their best to prevent the breach, and to minimize its impact. If they didn't, HIPAA enforcement come into play. A finding against Anthem by the HHS Office for Civil Rights (OCR) could also open the door to more lawsuits.

In May, 2013, a study sponsored by Symantec and carried out by Ponemon Institute LLC estimated the cost of data breaches in the US to be approximately $188 per identity compromised. I'll let you do the math on that with regard to the Anthem data breach. Let's hope they can find economies of scale.

Of course, performing due diligence and demonstrating due diligence to an auditor are two different things. Whatever your regulatory requirements are, will you be ready for the auditor?

No comments:

Post a Comment