In the wake of the largest U.S. health care data breach in history, Anthem, Inc., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights, a record settlement for alleged HIPAA violations. In addition to the monetary payment, Anthem agreed to conduct a thorough and accurate risk analysis – a challenge for many organizations. In this article, we discuss the Anthem breach and provide expert insight about avoiding common risk analysis pitfalls, identifying steps organizations in all sectors should take to conduct an effective and compliant assessment, and how to use the assessment report to mitigate risk. See also “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).