On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that Anthem, Inc. will pay $16 million to settle OCR’s investigation of its potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. This HIPAA settlement is the largest to date and is almost triple the previous high of $5.55 million paid to OCR in 2016. The Resolution Agreement also requires Anthem, one of largest health insurers in the nation and a business associate to numerous health plans, to undertake a robust corrective action plan to address the compliance issues identified during OCR’s investigation.

OCR began an investigation of Anthem in February 2015 after media reports and information on Anthem’s website indicated that Anthem had experienced a sophisticated cyberattack. A month later, Anthem notified OCR that hackers had gained access to the electronic protected health information (ePHI) of over 78 million individuals stored on Anthem’s enterprise data warehouse, the largest U.S. health data breach in history.

The hackers initially gained access to Anthem’s network through a phishing attack on one of Anthem’s subsidiaries in which at least one employee responded to a malicious email. Once inside the subsidiary’s information system, the attackers were able to gain access to other parts of Anthem’s network to extract data. For a period of approximately six weeks, the hackers remained in Anthem’s network undetected and continued to steal ePHI, including individuals’ names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.

OCR’s investigation found that, besides allowing the impermissible disclosure of ePHI, Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent unauthorized persons from accessing sensitive ePHI.

OCR’s Director indicated that the record-breaking settlement amount was appropriate for the largest U.S. health data breach in history. Director Roger Severino stressed that large healthcare companies should be aware that they are among the most attractive targets for hackers given their large stores of sensitive health information and have appropriate measures in place given the level of risk. In particular, Director Severino called out the need for strong password policies and timely security incident response. In contrast, Anthem resolved the matter with seven state regulators in 2016 with no fines or penalties warranted, but significant security measures and heightened information security monitoring required. The OCR corrective action plan requires Anthem to conduct an accurate and thorough risk analysis, the specifications of which must be approved by OCR to ensure its adequacy. Anthem is also required to revise its policies and procedures regarding information system activity review and access control.

Takeaways

This settlement should serve as a reminder to large healthcare organizations that, because of the amount and sensitive nature of the information they maintain, they are most likely to be targeted frequently and persistently by cyber criminals. Organizations with numerous employees, subsidiaries, locations, and lines of business likely have complex and interconnected information systems. It is important for such organizations (and any covered entity or business associate that maintains an enterprise data warehouse) to have processes in place to regularly audit and monitor activity in their information systems to detect unauthorized access to information, unusual or suspicious activity, and when information is being sent outside the system.

Organizations should also have access controls in place to ensure that each individual who is granted access to the information system is only authorized to access information needed to do their specific job and does not have the ability to access other areas of the information system that contain sensitive information. A security risk analysis, which is required under the HIPAA Security Rule, can assist an organization in determining how to bolster its auditing, monitoring and access control procedures.

Finally, this settlement reinforces the necessity of employee training regarding how to identify phishing emails for healthcare organizations of all sizes, as phishing emails are a common way that cyber criminals gain access to an organization’s network.