Management Paper on Anthem Inc. and Cottage Health HIPAA Violations

In 2018, Anthem, an independent licensee of the Blue Cross and Blue Shield Association in the U.S., made history with the largest Health Insurance Portability and Accountability Act (HIPAA) settlement after health data breach (HHS, 2018). The Department of Health and Human Services’ Office for Civil Rights (OCR) announced that Cottage Health had agreed to pay a settlement of $16 million after a series of cyber-attacks that exposed the electronic protected health data of around 79 million people. The cyber-attackers permeated the company’s IT system through spear phishing emails that were replied by at least one employee of its subsidiary. Anthem would have prevented the breach by reinforcing risk analysis including sufficient reviews of the IT system activity and technical controls. Also, the company would have responded immediately after the attack was detected to avoid further damage.

In the same year, OCR also completed a HIPAA violation settlement with Cottage Health, which agreed to pay $3 million after its unsecured electronic protected health data was accessed by an unauthorized party (HHS, 2018). Cottage Health operates four hospitals in California. The security violation, which occurred in 2013 and 2015, affected close to 62,500 people. In the first breach, OCR found out that there was access to files containing ePHI through the security configuration settings of an operating system that did not require a password or username (HHS, 2018). The second breach occurred when responding to a troubleshooting ticket, whereby a server was misconfigured, exposing an unsecured ePHI on the internet (HHS, 2018). Cottage Health would have prevented the security breach by utilizing various tools of risk analysis and risk management to be able to identify potential attacks and respond in a timely manner.


HHS. (2018, Oct 15). Anthem pays $16 million in record HIPAA settlement following largest U.S.S health data breach in history. Retrieved from

HHS. (2019, Feb 7). OCR concludes all-time record year for HIPAA enforcement with $3 million Cottage Health settlement. Retrieved from