Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

Murtha Cullina

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. 

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in an OCR press release. This settlement is nearly three times the previous high of $5.55 million that Advocate Health paid in 2016 for a breach affecting more than 4 million patients.

According to OCR’s allegations, Anthem failed to conduct a system-wide risk analysis, had insufficient procedures to review system activity, failed to identify and respond to security incidents and failed to implement adequate minimum access controls to prevent access to electronic protected health information (ePHI).

Given the size of the breach, the record-setting settlement amount is not surprising. Notably, a failure to perform a comprehensive risk analysis continues to result in large settlement amounts with OCR after a breach. (See our previous blog posts: $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each and OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity).

Accordingly, HIPAA covered entities must perform a system-wide risk analysis that complies with the HIPAA Security Rule as well as perform periodic updates as necessary. That risk analysis, along with evidence of measures implemented to address vulnerabilities identified in the risk analysis, will be the first thing OCR requests in an investigation involving a breach of ePHI.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Murtha Cullina | Attorney Advertising

Written by:

Murtha Cullina

Murtha Cullina on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.