Anthem Settles HIPAA Allegations Following Largest Health Data Breach in History for Record $16 Million

Igor Gorlach
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On October 15, 2018, the HHS Office of Civil Rights (OCR) announced a record $16 million settlement with Anthem, Inc., to settle allegations that Anthem violated certain HIPAA requirements prior to and following a 2015 cyber-attack in which protected health information (PHI) of nearly 79 million individuals was stolen from Anthem’s enterprise data warehouse.  The previous highest OCR settlement was $5.5 million.  OCR opened a compliance review of Anthem in February 2015 after news outlets reported that Anthem had experienced a sophisticated external cyber-attack.  After an investigation, OCR concluded that, in addition to failing to prevent the impermissible disclosure of PHI, Anthem, as a business associate, failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent unauthorized access to sensitive PHI.

According to Anthem’s breach report to OCR, in January 2015, Anthem discovered that cyber-attackers had gained access to Anthem’s information technology system.  Upon further review, Anthem discovered that the cyber-attackers gained access by sending phishing emails to employees of an Anthem subsidiary.  At least one employee responded to the malicious emails, exposing the system to further attacks.  OCR’s investigation revealed that between December 2, 2014, and January 27, 2015, the cyber-attackers stole the PHI of nearly 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.  This constitutes the largest health data breach in history.

OCR concluded that Anthem failed to comply with several HIPAA requirements prior to and following the breach, including failure to conduct an enterprise-wide risk analysis, insufficient procedures to regularly review information system activity, failure to identify and respond to suspected or known security incidents, and failure to implement adequate minimum access controls to prevent unauthorized access to sensitive PHI.  Notably, Anthem was acting as a business associate rather than a covered entity, providing administrative services to affiliated covered entity health plans.

In the resolution agreement between Anthem and OCR, in addition to its agreement to pay HHS $16 million, Anthem agreed to comply with a corrective action plan (CAP), which requires Anthem to conduct a risk analysis; review, revise, and distribute policies and procedures; report certain events to OCR; and submit implementation and annual reports to OCR.

OCR’s press release and the resolution agreement are available on OCR’s website.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide