<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd">
<article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article">
 <front>
  <journal-meta>
   <journal-id journal-id-type="publisher-id">
    etsn
   </journal-id>
   <journal-title-group>
    <journal-title>
     E-Health Telecommunication Systems and Networks
    </journal-title>
   </journal-title-group>
   <issn pub-type="epub">
    2167-9517
   </issn>
   <issn publication-format="print">
    2167-9525
   </issn>
   <publisher>
    <publisher-name>
     Scientific Research Publishing
    </publisher-name>
   </publisher>
  </journal-meta>
  <article-meta>
   <article-id pub-id-type="doi">
    10.4236/etsn.2025.143004
   </article-id>
   <article-id pub-id-type="publisher-id">
    etsn-144053
   </article-id>
   <article-categories>
    <subj-group subj-group-type="heading">
     <subject>
      Articles
     </subject>
    </subj-group>
    <subj-group subj-group-type="Discipline-v2">
     <subject>
      Computer Science 
     </subject>
     <subject>
       Communications
     </subject>
    </subj-group>
   </article-categories>
   <title-group>
    C4 Framework for Healthcare Cybersecurity Defense: A Human-Centric, Socio-Technical Approach
   </title-group>
   <contrib-group>
    <contrib contrib-type="author" xlink:type="simple">
     <name name-style="western">
      <surname>
       Mostafa
      </surname>
      <given-names>
       Rahmany
      </given-names>
     </name>
    </contrib>
    <contrib contrib-type="author" xlink:type="simple">
     <name name-style="western">
      <surname>
       Arunmozhi
      </surname>
      <given-names>
       Selvi
      </given-names>
     </name>
    </contrib>
   </contrib-group> 
   <aff id="affnull">
    <addr-line>
     aDepartment of Data and Cybersecurity, British University College, Ajman, UAE
    </addr-line> 
   </aff> 
   <pub-date pub-type="epub">
    <day>
     17
    </day> 
    <month>
     07
    </month>
    <year>
     2025
    </year>
   </pub-date> 
   <volume>
    14
   </volume> 
   <issue>
    03
   </issue>
   <fpage>
    31
   </fpage>
   <lpage>
    38
   </lpage>
   <history>
    <date date-type="received">
     <day>
      8,
     </day>
     <month>
      June
     </month>
     <year>
      2025
     </year>
    </date>
    <date date-type="published">
     <day>
      14,
     </day>
     <month>
      June
     </month>
     <year>
      2025
     </year> 
    </date> 
    <date date-type="accepted">
     <day>
      14,
     </day>
     <month>
      July
     </month>
     <year>
      2025
     </year> 
    </date>
   </history>
   <permissions>
    <copyright-statement>
     © Copyright 2014 by authors and Scientific Research Publishing Inc. 
    </copyright-statement>
    <copyright-year>
     2014
    </copyright-year>
    <license>
     <license-p>
      This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/
     </license-p>
    </license>
   </permissions>
   <abstract>
    Cybersecurity attacks represent a significant threat to healthcare organizations, jeopardizing patient data, clinical operations, and institutional trust. The human element—healthcare workers themselves—continues to be a primary and persistent vulnerability that technological controls alone cannot mitigate. This paper argues that traditional, compliance-oriented security approaches are insufficient to tackle the inherent human factors leveraged by modern cyber attackers. Recognizing that most security incidents stem from human error and social engineering, a new paradigm is needed. This paper presents the C4 Framework, a novel human-centric cybersecurity model tailored to the unique constraints of the healthcare sector. The framework is built on four interdependent pillars: Comprehensive Assessment&amp;Risk Profiling, Customized Education&amp;Training, Cultural Reinforcement&amp;Communication, and Continuous Measurement&amp;Adaptation. By emphasizing a shift in security culture, personalized education, and perpetual evolution, the framework provides a roadmap for transforming an organization’s human element from its greatest vulnerability into a resilient defense asset.
   </abstract>
   <kwd-group> 
    <kwd>
     Security Culture
    </kwd> 
    <kwd>
      Healthcare
    </kwd> 
    <kwd>
      Human Factor
    </kwd> 
    <kwd>
      Insider Threat
    </kwd> 
    <kwd>
      C4 Framework
    </kwd> 
    <kwd>
      Social Engineering
    </kwd> 
    <kwd>
      Human-Computer Interaction
    </kwd> 
    <kwd>
      Cybersecurity
    </kwd> 
    <kwd>
      Socio-Technical Systems
    </kwd> 
    <kwd>
      Change Management
    </kwd>
   </kwd-group>
  </article-meta>
 </front>
 <body>
  <sec id="s1">
   <title>1. Introduction</title>
   <p>Healthcare sits at a critical inflection point where technological advancement intersects with high-risk exposure. The digitization of electronic health records (EHR), the proliferation of the Internet of Medical Things (IoMT), and the rise of telehealth have redefined care delivery but have also dangerously expanded the attack surface for adversaries. As a result, the sector is under constant siege from cybercriminals, leading to ransomware attacks that cripple critical systems and data breaches that compromise sensitive Personal Health Information (PHI) <xref ref-type="bibr" rid="scirp.144053-1">
     [1]
    </xref>. A comprehensive review of recent trends confirms that the healthcare sector faces numerous, evolving cybersecurity threats owing to this increasing digitization and the considerable value of its data <xref ref-type="bibr" rid="scirp.144053-2">
     [2]
    </xref>. The traditional approach to security is often insufficient against modern threats, necessitating a shift towards greater cyber resilience and the capacity to adapt in real-time to new attack vectors.</p>
   <p>Despite significant investments in technological safeguards, the human element remains the primary vector for such breaches, a reality that exposes the limitations of technology-only security strategies <xref ref-type="bibr" rid="scirp.144053-3">
     [3]
    </xref>. This challenge is particularly acute in healthcare due to a confluence of environmental factors, including high-stress workloads, and alert fatigue, all of which erode situational awareness and increase susceptibility to deception. Cognitive Load Theory suggests that the high intrinsic cognitive load of clinical tasks leaves fewer mental resources available to process the extraneous load imposed by complex security procedures, making simple, intuitive security design paramount <xref ref-type="bibr" rid="scirp.144053-4">
     [4]
    </xref>. Recent research underscores that a significant percentage of healthcare-related cyber breaches are initiated via phishing attacks, demonstrating that attackers find it easier to exploit human psychology than to breach technical defenses <xref ref-type="bibr" rid="scirp.144053-3">
     [3]
    </xref>.</p>
   <p>While the problem is widely acknowledged, existing solutions often gravitate towards generic, compliance-based training that fails to address the motivational and psychological drivers of human error. The literature reveals a gap for a structured, practical framework designed not merely to raise awareness, but to fundamentally reshape security culture within the specific operational constraints of healthcare. This paper aims to fill this gap by introducing the C4 Framework, a conceptual model that moves beyond compliance to build genuine cybersecurity resilience by placing the human at the center of the defense strategy.</p>
  </sec><sec id="s2">
   <title>2. Methodology of Framework Development</title>
   <p>The C4 Framework is a conceptual model derived from a systematic synthesis of interdisciplinary research and industry best practices. Its development involved three stages:</p>
   <p>Literature Review: A comprehensive review of peer-reviewed literature in cybersecurity, human-computer interaction, organizational psychology, and behavioral science was conducted. This included an analysis of established theories such as Schein’s Model of Organizational Culture <xref ref-type="bibr" rid="scirp.144053-5">
     [5]
    </xref>, Bandura’s Social Learning Theory <xref ref-type="bibr" rid="scirp.144053-6">
     [6]
    </xref>, and Protection Motivation Theory <xref ref-type="bibr" rid="scirp.144053-7">
     [7]
    </xref> to ground the framework in robust academic principles.</p>
   <p>Best-Practice Analysis: An analysis of existing industry frameworks (e.g., NIST <xref ref-type="bibr" rid="scirp.144053-8">
     [8]
    </xref>, ISO 27001 <xref ref-type="bibr" rid="scirp.144053-9">
     [9]
    </xref>) and compliance mandates (e.g., HIPAA <xref ref-type="bibr" rid="scirp.144053-10">
     [10]
    </xref>) was performed to identify gaps related to human-centric controls and cultural integration.</p>
   <p>Framework Synthesis: The four pillars of the C4 framework were synthesized from the thematic analysis of the above sources. Each pillar was designed to address a specific weakness in traditional security approaches and to function as part of an integrated, cyclical system.</p>
  </sec><sec id="s3">
   <title>3. The C4 Human-Centric Awareness Framework</title>
   <p>The C4 framework is composed of four interdependent pillars designed to transform the human element from a liability into a defensive asset. Each pillar’s focus has been sharpened to reduce overlap and improve clarity, per reviewer suggestions.</p>
   <sec id="s3_1">
    <title>3.1. Pillar 1: Comprehensive Assessment &amp; Risk Profiling (The Diagnosis)</title>
    <p>This foundational pillar focuses on developing a deep, data-driven understanding of an organization’s specific human risks. It moves beyond simple knowledge tests to create a detailed “human vulnerability map”. This is achieved through:</p>
    <p>Behavioral Risk Surveys: Using qualitative interviews and surveys to understand why risky behaviors occur, identifying friction points in workflows and sources of cognitive load.</p>
    <p>Realistic Threat Simulations: Deploying phishing and social engineering campaigns tailored to healthcare scenarios to measure baseline vulnerabilities across different roles and departments.</p>
    <p>Insider Threat Profiling: Monitoring data access patterns to identify anomalies that may indicate compromised accounts or inadvertent misuse, recognizing that most insider threats are non-malicious.</p>
   </sec>
   <sec id="s3_2">
    <title>3.2. Pillar 2: Customized &amp; Personalized Education (The Education)</title>
    <p>Armed with insights from Pillar 1, this pillar rejects one-size-fits-all training in favor of targeted, engaging, and relevant security education that is designed to overcome the Ebbinghaus Forgetting Curve, which shows that individuals forget most new information shortly after learning it without reinforcement <xref ref-type="bibr" rid="scirp.144053-11">
      [11]
     </xref>. Key principles include:</p>
    <p>Role-Based Micro-Learning: Delivering short (5-10 minute), on-demand training modules specific to the risks faced by different roles (e.g., a nurse, a billing administrator) to respect the time constraints of clinical staff. This approach manages cognitive load effectively.</p>
    <p>Contextual, Just-in-Time Reminders: Using pop-up prompts and login screen tips to reinforce secure behaviors directly within the workflow, such as a reminder to encrypt an email when PHI is detected.</p>
    <p>Interactive and Gamified Learning: Employing formats like competitive quizzes and virtual reality simulations to move beyond passive learning and allow staff to practice secure behaviors in a safe environment.</p>
   </sec>
   <sec id="s3_3">
    <title>3.3. Pillar 3: Cultural Reinforcement &amp; Communication (The Environment)</title>
    <p>This pillar focuses on embedding security principles into the organization’s daily life, making security a shared value rather than an IT mandate. This cultural shift is guided by Lewin’s 3-Stage Model of Change (Unfreeze, Change, Refreeze) <xref ref-type="bibr" rid="scirp.144053-12">
      [12]
     </xref>.</p>
    <p>Leadership Engagement (Unfreezing): Requiring active, visible sponsorship from senior leadership, who must allocate resources and consistently communicate that security is integral to patient safety. This aligns with Transformational Leadership theory, where leaders inspire a shared vision <xref ref-type="bibr" rid="scirp.144053-13">
      [13]
     </xref>.</p>
    <p>Positive Reinforcement and Security Champions (Changing): Implementing recognition programs that reward proactive security behaviors and cultivating a network of motivated “Security Champions” from various departments who act as peer influencers and normalize secure practices through social learning.</p>
    <p>No-Blame Reporting (Refreezing): Establishing a psychologically safe system for staff to report incidents or errors without fear of reprisal. This fosters Organizational Justice, as employees who perceive policies as fair are more likely to comply <xref ref-type="bibr" rid="scirp.144053-14">
      [14]
     </xref>.</p>
   </sec>
   <sec id="s3_4">
    <title>3.4. Pillar 4: Continuous Measurement &amp; Adaptation (The Evolution)</title>
    <p>This final pillar ensures the program remains effective and relevant by creating a data-driven feedback loop. It utilizes the Kirkpatrick Model for training evaluation to assess effectiveness on multiple levels <xref ref-type="bibr" rid="scirp.144053-15">
      [15]
     </xref>.</p>
    <p>Behavioral KPIs (Level 3: Behavior): Tracking a decline in phishing simulation click-through rates, an increase in staff-reported suspicious events, and wider adoption of security tools like MFA.</p>
    <p>Cultural Metrics (Level 4: Results): Measuring long-term cultural shifts through annual security culture surveys, sentiment analysis of internal communications, and feedback from focus groups.</p>
    <p>Programmatic Review: Conducting regular, rigorous reviews of all data to assess impact, identify areas for improvement, and update educational content with the latest threat intelligence.</p>
    <p>C4 framework is composed of four interdependent pillars designed to transform the human element from a liability into a defensive asset. Each pillar’s focus has been sharpened to reduce overlap and improve clarity, per reviewer suggestions.</p>
   </sec>
  </sec><sec id="s4">
   <title>4. Application of the Framework: Real-World Case Analyses</title>
   <sec id="s4_1">
    <title>4.1. Case Analysis 1: The 2015 Anthem Inc. Phishing Breach</title>
    <p>Context: Anthem Inc. is one of the largest health insurance providers in the United States.</p>
    <p>Incident: In February 2015, Anthem disclosed a breach that exposed the personal information of nearly 79 million people. The investigation revealed that attackers initiated the breach via a targeted phishing email sent to an Anthem subsidiary, which allowed them to steal administrative credentials and move through Anthem’s systems for weeks before detection <xref ref-type="bibr" rid="scirp.144053-16">
      [16]
     </xref>.</p>
    <p>Contributing Human Factors: The root cause was a social engineering attack that deceived an employee. A lack of immediate reporting allowed the attackers extended dwell time within the network.</p>
    <p>C4 Framework Application:</p>
    <p>Pillar 1: An assessment would have identified the high-risk status of system administrators for spear-phishing.</p>
    <p>Pillar 2: Customized micro-learning on credential-harvesting attacks would have been delivered to this group.</p>
    <p>Pillar 3: A “no-blame” culture would have encouraged immediate reporting of the mistake, drastically reducing attacker dwell time.</p>
    <p>Pillar 4: KPIs like mean-time-to-report would be tracked for this user group to refine training.</p>
    <p>Projected Outcome: The probability of the initial phishing email succeeding would be lower. More importantly, the cultural mechanisms would be in place to detect and report the intrusion far more quickly, mitigating the scale of the breach.</p>
   </sec>
   <sec id="s4_2">
    <title>4.2. Case Analysis 2: The 2011 TRICARE Management Activity Data Breach</title>
    <p>Context: TRICARE is the healthcare program for the U.S. Department of Defense Military Health System. The breach involved a business associate, SAIC.</p>
    <p>Incident: In September 2011, it was discovered that unencrypted computer backup tapes containing the records of approximately 4.9 million TRICARE patients had been stolen from an SAIC employee’s car <xref ref-type="bibr" rid="scirp.144053-17">
      [17]
     </xref>. The breach was a failure of physical security protocols.</p>
    <p>Contributing Human Factors: The primary human error was the employee’s violation of data handling policies by removing unencrypted backup media from a secure facility.</p>
    <p>C4 Framework Application:</p>
    <p>Pillar 1: A risk assessment would have audited physical security practices and data handling workflows.</p>
    <p>Pillar 2: Customized training for IT staff would include rigorous modules on physical security and data lifecycle management.</p>
    <p>Pillar 3: A strong security culture would reinforce that protecting patient data is critical, regardless of its format.</p>
    <p>Pillar 4: Measurement would include regular physical security audits and spot-checks of data handling procedures.</p>
    <p>Projected Outcome: An employee embedded in a C4-driven culture would be far less likely to violate a critical data handling policy, averting the breach entirely.</p>
   </sec>
  </sec><sec id="s5">
   <title>5. Discussion: Benefits, Implications, and Scalability</title>
   <p>Adopting the C4 framework shifts an organization from a reactive, compliance-focused posture to a proactive, resilient one. By directly addressing the human factor the root cause of most organizations breaches and security weakness which can significantly reduce the likelihood of costly data loss, unauthorize access or breaches, thereby safeguarding patient data, building trust, and ensuing continuity of care.</p>
   <sec id="s5_1">
    <title>5.1. Scalability and Adaptation for Varied Contexts</title>
    <p>The C4 framework is designed to be scalable to address concerns about organizational capacity. Smaller or under-resourced organizations can begin with a phased implementation, focusing on low-cost, high-impact initiatives first:</p>
    <p>Phase 1 (Foundational): Start Pillar 1 with simple surveys and free phishing simulation tools. Launch a volunteer-based “Security Champions” network (Pillar 3).</p>
    <p>Phase 2 (Developing): Introduce role-based micro-learning (Pillar 2) using internal expertise. Formalize the no-blame reporting process.</p>
    <p>Phase 3 (Mature): Invest in more advanced simulation tools and automated “just-in-time” training systems as resources allow.</p>
   </sec>
   <sec id="s5_2">
    <title>5.2. Cost-Benefit Considerations</title>
    <p>While a full cost-benefit analysis for implementing the C4 Framework is organization-specific, its value proposition can be clearly framed in terms of cost avoidance. The investment in a human-centric program pales in comparison to the catastrophic costs of a major healthcare breach. According to industry reports, the healthcare sector consistently suffers the highest average data breach costs <xref ref-type="bibr" rid="scirp.144053-2">
      [2]
     </xref>. To illustrate with a specific case, the 2015 Anthem breach resulted in a record $16 million HIPAA settlement <xref ref-type="bibr" rid="scirp.144053-18">
      [18]
     </xref> and over $115 million to settle related class-action lawsuits <xref ref-type="bibr" rid="scirp.144053-19">
      [19]
     </xref>. More recently, the 2024 Change Healthcare ransomware attack caused massive disruptions, with the parent company reporting over $872 million in unfavorable effects in a single quarter due to the attack <xref ref-type="bibr" rid="scirp.144053-20">
      [20]
     </xref>. The return on investment for a C4-style program is measured by the reduction of this risk.</p>
   </sec>
  </sec><sec id="s6">
   <title>6. Conclusions</title>
   <p>As a conceptual model, the C4 Framework has limitations that present opportunities for future research. Its successful implementation depends heavily on sustained leadership support and resource allocation. The primary direction for future work, as can be highlighted, is the empirical validation of the framework. A longitudinal study monitoring the KPIs outlined in Pillar 4 within a healthcare organization would provide invaluable data on its effectiveness. Comparative research studying the impact of customized education modules versus generic training could offer further evidence. Finally, investigating the use of machine learning and AI to further personalize simulations and just-in-time training represents a promising frontier for optimizing the framework’s delivery in real-time.</p>
   <sec id="s6_1">
    <title>Limitations and Future Directions</title>
    <p>As a conceptual model, the C4 Framework has limitations that present opportunities for future research. Its successful implementation depends heavily on sustained leadership support and resource allocation. The primary direction for future work, as highlighted by the reviewers, is the empirical validation of the framework. A longitudinal study monitoring the KPIs outlined in Pillar 4 within a healthcare organization would provide invaluable data on its effectiveness. Comparative research studying the impact of customized education modules versus generic training could offer further evidence. Finally, investigating the use of machine learning and AI to further personalize simulations and just-in-time training represents a promising frontier for optimizing the framework’s delivery in real-time.</p>
   </sec>
  </sec>
 </body><back>
  <ref-list>
   <title>References</title>
   <ref id="scirp.144053-ref1">
    <label>1</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     HIMSS (2024) 2024 HIMSS Cybersecurity Survey. Healthcare Information and Management Systems Society.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref2">
    <label>2</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     IBM Security (2024) Cost of a Data Breach Report 2024. Ponemon Institute.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref3">
    <label>3</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Verizon (2025) 2025 Data Breach Investigations Report. Verizon Enterprise Solutions.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref4">
    <label>4</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Sweller, J. (1988) Cognitive Load during Problem Solving: Effects on Learning. Cognitive Science, 12, 257-285. &gt;https://doi.org/10.1207/s15516709cog1202_4
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref5">
    <label>5</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Schein, E.H. (2010) Organizational Culture and Leadership. 4th Edition, Jossey-Bass.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref6">
    <label>6</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Bandura, A. (1977) Social Learning Theory. Prentice Hall.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref7">
    <label>7</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Rogers, R.W. (1975) A Protection Motivation Theory of Fear Appeals and Attitude Change. The Journal of Psychology, 91, 93-114. &gt;https://doi.org/10.1080/00223980.1975.9915803
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref8">
    <label>8</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     National Institute of Standards and Technology (2024) The NIST Cybersecurity Framework (CSF) 2.0. NIST CSWP 29. 
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref9">
    <label>9</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     International Organization for Standardization (2022) ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref10">
    <label>10</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     U.S. Department of Health&amp;Human Services (1996) Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref11">
    <label>11</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Murre, J.M.J. and Dros, J. (2015) Replication and Analysis of Ebbinghaus’ Forgetting Curve. PLOS ONE, 10, e0120644. &gt;https://doi.org/10.1371/journal.pone.0120644
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref12">
    <label>12</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Lewin, K. (1947) Frontiers in Group Dynamics: Concept, Method and Reality in Social Science; Social Equilibria and Social Change. Human Relations, 1, 5-41. &gt;https://doi.org/10.1177/001872674700100103
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref13">
    <label>13</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Bass, B.M. (1990) From Transactional to Transformational Leadership: Learning to Share the Vision. Organizational Dynamics, 18, 19-31. &gt;https://doi.org/10.1016/0090-2616(90)90061-s
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref14">
    <label>14</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Colquitt, J.A. (2001) On the Dimensionality of Organizational Justice: A Construct Validation of a Measure. Journal of Applied Psychology, 86, 386-400. &gt;https://doi.org/10.1037/0021-9010.86.3.386
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref15">
    <label>15</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kirkpatrick, D.L. (1996) Evaluating Training Programs: The Four Levels. Berrett-Koehler Publishers.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref16">
    <label>16</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Krebs, B. (2015) Anthem Breach Exposes 80 Million Patient, Employee Records. Krebs on Security.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref17">
    <label>17</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     U.S. Department of Health&amp;Human Services (2011) Breach Report Details Theft of Backup Tapes Affecting 4.9M. Official HHS Breach Portal Report and Subsequent News Coverage.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref18">
    <label>18</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     U.S. Department of Health&amp;Human Services (2017) Anthem Pays HHS $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History. HHS Press Release.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref19">
    <label>19</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Stempel, J. (2018) Anthem Agrees to Pay $115 Million to Settle U.S. Data Breach Litigation. Reuters.
    </mixed-citation>
   </ref>
   <ref id="scirp.144053-ref20">
    <label>20</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     UnitedHealth Group (2024) UnitedHealth Group Reports First Quarter 2024 Results.
    </mixed-citation>
   </ref>
  </ref-list>
 </back>
</article>