Business Associate (BA) Causes HIPAA HITECH Breach of Over 200,000 at Anthem Blue Cross
A third party vendor (BA) left a hole in Anthem Blue Cross's security that you could drive a truck through and left it open for five months. From Anthem's press release "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again" Not until a lawsuit was filed by affected patients did Anthem discover the breach. That is a very loud and painful wake up call. This will cost Anthem millions in fines and penalties not to mention the lost business which Ponemon Institute suggests will be 66% of the cost.
LOS ANGELES — About 230,000 Anthem Blue Cross customers have been warned that their personal data, including medical records and Social Security numbers, may have been wrongly accessed following a faulty upgrade of the company's website.
A site user was able to manipulate Web addresses to access confidential information after security measures weren't reinstated properly following an October 2009 upgrade, said Anthem spokeswoman Cynthia Sanders.
"We were told by a third party vendor that all security measures were in place," said Sanders. "As soon as we heard about the attorneys, we went in, discovered the problem and fixed it immediately."
Covered entities (CE) need to take an active role in helping their BA protect their PHI because they are going to be the ones paying the bills and taking the losses. HIPAA states that the CE must have "satisfactory assurance" that their BA are compliant and that they may request a risk assessment if "reasonable and appropriate". I am sure that Anthem now thinks that a risk assessment would have been "reasonable and appropriate" in this case.
Does this qualify as "willful neglect"? Only time and the OCR audit will tell but there are some very suspicious acts, including failure to notify in the required time frame.
I once blogged that BAs were the "blind side" for CE security and I am sure that Anthem feels blindsided at this time.
Get compliant, stay compliant, and require proof that your BA are compliant.
Subscribe via RSSCategories
- HIPAA HITECH Act
- HIPAA Covered Entity
- HIPAA Business Associates
- Health Information Privacy
- HIPAA Compliance Online Software
- HIPAA Compliant Checklist
Recent Blog Posts
- Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1
- Minnesota Attorney General Sues Business Associate for HIPAA HITECH Data Breach
- HIPAA HITECH Data Breach Costs Small Business Associate $300,000
- HIPAA HITECH Rules De Facto Standard?
- HIPAA HITECH Data Breach: $1000 Per Patient?
- Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule
- more from the blog
