$6.85 million dollars is one of the OCR’s latest settlement amounts against a health insurer. After an OCR investigation, they found cyber-attackers had used a phishing email to install malware. This malware went undetected for almost nine months! The hackers were able to access more than 10 million individual’s PHI and were able to collect data that included Social Security numbers and even bank account information!  

The investigation found that the health insurer was not HIPAA compliant due to not performing risk analysis, not implementing risk management and audit controls. These findings not only cost the organization well over $6 million dollars, but they also will have to take on a corrective action plan along with 2 years of monitoring.  

In the OCR’s press release, OCR Director, Roger Severino summed it up perfectly, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.” We couldn’t have said it better ourselves!  

Along with noncompliance, the insurer has another obvious issue: phishing. Many of us who work in the cybersecurity field always have phishing on the mind when opening emails but there are many who don’t. Training all employees on what to do if they think they’ve been phished, how to spot a phish, and the risks of a phishing email could be the difference in a settlement of $6 million dollars. That being said, human error is always a possibility and risk analysis, risk management, and proper auditing could have stopped hackers from going undetected in this organization’s environment.