MHA FPX 5014 Assessment 3 Cost-Benefit Analysis

Abstract

In the US, Anthem suffered one of the largest cybersecurity attacks in 2015, releasing the private and sensitive data of 78.8 million patients. Multiple layers of issues led to this event. Anthem’s failure to address company-wide risk assessments, a refusal to adopt encryption, and the absence of an active threat monitoring strategy all contributed. At the time of the data breach, Anthem was already paying a $16 million civil judgment to the Office for Civil Rights (OCR). The company will also face additional financial costs due to the breach, the loss of company reputation, and additional federal restrictions. In addition to the financial and legal consequences, poor cybersecurity places significant ethical burdens on the company and the infrastructure designed to protect patient data. The breach harmed patients, healthcare providers, the OCR, the Office for Civil Rights, and the HHS, as well as the company’s executive management, employees, and shareholders. To begin to address and reduce cybersecurity risks, it is proposed that Anthem invest $4.5 million to create an AI Cybersecurity threat detection system and spend an additional $350,000 on the system’s Chief Information Security Officer, a position that will be funded with an annual salary.

Three strategies were proposed to complement the training of the 40,000 employees ($750,000 a year) and quarterly penetration testing ($500,000 a year). These strategies amount to $6.6 million in expenses, yielding a financial benefit of over $20 million. Additionally, the financial and regulatory costs are considerable. The strategies also extend Anthem’s mission of accountability and patient-centered care.

Issue Description

Anthem Blue Cross Blue Shield, with over 40 million clients, is associated with the biggest healthcare data breach in US history, a 2015 HIPAA violation that affected 78.8 million individuals (Brennan, 2022). Anthem incurred a loss of clients, many lawsuits, and a $16 million OCR settlement. A lack of planning, bad financing of risks, weak encryption and monitoring systems, and the absence of a Chief Information Security Officer (CISO) resulted in the breach. The absence of the DMAIC process resulted in an unethical breach and a financial collapse, resulting in a loss of trust and significant losses to the firm (Achouch et al., 2022). AI-based threat detection, appointment of a CISO, employee training, access restriction, and access audits were recommended. An increase in the frequency of penetration testing, employee training, and submission of compliance reports to the Office of Civil Rights (OCR) to ensure that the internal controls are maintained was recommended as a permanent solution.

Stakeholders for Cost-Benefit Analysis

The stakeholders involved in the cost-benefit analysis of Anthem’s cybersecurity interventions include both the internal and external stakeholders. Internally, executives must manage the costs and assess the sustainability of operations, and IT and cybersecurity employees must defend data. Externally, the analysis benefits the compliance officers and employees who are mandated to take HIPAA training and the mandated cybersecurity training.

Of the external stakeholders, patients are the most vulnerable, and so are the most worried. For patients, it is their health information; for the providers and other stakeholders, it is their compliance with the OCR. Losing the trust of patients and the brand, as well as the culture and resilience of the workforce, is at risk, in addition to financial and patient safety concerns. With deteriorating trust from patients, compliance costs increase. Poor cybersecurity practices foster a negative culture and erode the resilience of staff.

Value Proposition for Change Management

The proposed strategies provide the organization with significant and unique value related to the 2015 breach. The 2015 breach affected accountability, integrity and most importantly, the 2015 breach affected the safety of patients. The first proposed change is to buy and deploy AI-based cybersecurity devices. The devices’ breach detection takes about 60 seconds, and, as a result, threat management is improved and made more efficient (Conduah et al, 2025).

The second amendment increases the responsibility of the executive branch by requiring the appointment of a Chief Information Security Officer (CISO) to assist with IT governance and to account for compliance with evolving regulations. This amendment supports the overall effort to stabilize the Anthem IT system and safeguard the integrity and safety of the organization’s medical records and of the organization’s compliance with HIPAA, HITECH, and CCPA (Shojaei et al., 2024). This amendment will support the organization’s long-term sustainability and the restoration of confidence in Anthem by the organization’s patients and investors.

Strategies to Impact the Changes

The first processes to implement the changes for Anthem will include (1) a 60% decrease in reportable breaches within the next 12 months, (2) complete adherence to HIPAA and completion of cybersecurity training within the next 6 months, and (3) a 25% increase in the Office of Civil Rights (OCR) audit scores within the next 12 months (Hosseini et al., 2023). Both privacy protection measures and encryption are to be enhanced, along with quarterly penetration testing and audits of the systems. Regular progress reports will be sent to the OCR and stakeholders to keep them informed. Training programs targeted at employees will reduce policy contraventions by 40% (Moritz, 2023). Moreover, structured audits will lead to a 27% improvement annually in compliance scores (Barnes et al., 2022). Through the combined application of these measures, Anthem will tackle the underlying causes of breaches and cultivate a culture of accountability and resilience.

Cost-Benefit Analysis for Risk Management Interventions

The cost-benefit analysis in the submission points out that the options presented will likely cost Anthem more in the short term. However, the effects on both the finances and the organization from Anthem’s viewpoint during the analysis appear to be favorable. The initial costs include: $4.5 million for AI-based cybersecurity systems, $1 million for the annual maintenance of the systems, $350,000/year for the Chief Information Security Officer, $750,000 for annual cybersecurity training for 40,000 employees, and $500,000 for annual penetration tests (Mohamed, 2025). This totals approximately a $7.1 million net loss for Anthem, and a burden of just over $6.6 million yearly. These options would eliminate the loss from related process violation fines and lawsuits, saving the organization $10 million. They would also eliminate the loss associated with breach response costs, and the costs related to reputational damage and legal claims, saving an additional $8 million. Finally, they would remove the loss associated with the gap in insurance coverage, saving $2 million. With the options recommended, the total annual loss would therefore be estimated to be $20 million (Mohamed, 2025). For the first year, the interventions have a net positive financial impact of $13 million and therefore a large positive financial impact. The positive financial impact of these options is enhanced by the savings from reduced regulatory costs and the improved cybersecurity system.

Internal and External Benchmarks

Improvement metrics will be assessed against benchmarks set after Anthem’s 2015 record breach, which led to a $16 million 2016 OCR settlement due to the breach of 78.8 million records containing protected health information. The breach had a negative, lasting impact on Anthem’s reputation and finances. These benchmarks will be put in place to mitigate the risk of repeat occurrence of a breach that would result in an OCR reportable settlement. Internal assessments of HIPAA and other regulatory compliance will be complemented by periodic compliance audits and reviews. Anthem’s performance will be benchmarked against its closest competitors as well as the industry. The HIMSS cybersecurity benchmarks indicate that AI-driven breach detection systems can improve breach detection by up to 60. Anthem may face the same challenge if OCR scores HIPAA, median breach detection, and monitoring systems fall within compliance, than other competitors in the marketplace. Absent compliance, Anthem’s market position and reputation may suffer. UnitedHealth and Cigna are other competitors.

Co-Introduction for Recommendations

The proposed strategies consider the existing configuration of Information Technology (IT) infrastructures and Anthem’s compliance monitoring systems. The goal is to proactively protect the organization while minimizing unwanted barriers. Using Artificial Intelligence (AI) and CISO Governance to strengthen the organization’s culture of active risk funding is preferred over viewing the approach as a short-term solution (Trim and Lee, 2022). The combination will work to the limits of the flexibly bounded control framework and provide protection against advanced persistent cyber threats. The healthcare industry is the most advanced and most breached industry. Anthem will be able to safeguard client information, maintain compliance, and ensure its competitive advantage in the healthcare insurance industry.

Relationship to Vision, Mission, and Strategy

The recommendations embody the values of integrity, accountability, and a patient-first culture across Mr. McCarthy’s vision for Anthem, demonstrating their commitment to addressing the gaps left by the 2015 data breach (Trim & Lee, 2022). With resilient and advanced cybersecurity, Anthem can realize long-term stability by closing crucial legislative compliance and governance gaps and rebuilding trust in the most uncertain and risk-prone digital markets.

Rationale

Anthem should protect patient data to maintain member trust, given that it has even introduced safety measures to protect member data. Since prevention costs are much less than both the costs associated with a breach and the subsequent fines, Anthem should implement an enterprise-scale solution to protect its patient data. This measure would fall within Anthem’s insurance costs and would safeguard the interests of external stakeholders, and would ensure data is secured. Given the competitive digital landscape, this enhanced safety system would also serve to secure Omni’s competitive market advantage (Żuk & Żuk, 2021).

Conclusion

The 2015 Anthem data breach is very illustrative of how inadequate funding of Cybersecurity and poor management can be extremely costly. Anthem’s cost-benefit, with a mandatory spend of $6.6 million a year against the nearly $20 million benefit, shows a $13 million benefit just by spending on Cybersecurity. The primary recommendation would be hiring a full-fledged CISO, mandatory cyber training, and the adoption of AI and routine audits in order to protect the long-term future of the company and regain customer trust.