On October 15, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Anthem, Inc. (Anthem) agreed to pay $16 million to settle allegations relating to HIPAA violations following a 2015 data breach affecting 79 million individuals. This is the largest health data breach in U.S. history and the settlement announced is almost three times larger than the previous OCR settlement payment record of $5.5 million in 2016.
Anthem’s payment to OCR is separate from its $115 million settlement in August 2018 of a class-action lawsuit relating to the same incident. The payments made by Anthem to settle allegations related to this breach exceed $130 million.
In February 2015, OCR opened a compliance review of Anthem after learning of Anthem’s cyber-attack in the media and on Anthem’s web site. In March 2015, Anthem filed a breach report with OCR describing their finding in January 2015 that cyber attackers gained access to Anthem’s IT system through an advanced persistent threat attack. Anthem’s investigation revealed that the attackers were able to gain access through so-called spear fishing emails after at least one employee responded to the deceptive email. The Anthem cyber attackers were able to steal — in less than two months — the electronic protected health information (ePHI), including names, social security numbers, medical identification numbers, addresses, dates of birth and employment information, of approximately 79 million individuals.
OCR’s investigation revealed that Anthem’s potential HIPAA violations included:
failure to conduct an accurate and thorough risk analysis of its ePHI;
lack of sufficient procedures to regularly review information system activity;
inability to identify and respond to the detections of a security incident leading to the breach; and
lack of sufficient technical policies and procedures for information systems that maintain ePHI to limit access.
In addition to the $16 million fine to OCR, Anthem agreed to enter into a two-year corrective action plan (CAP) that:
requires Anthem to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI that includes a statement of work that must be approved by HHS with specific timeframes for implementation;
review and revise its written policies and procedures within a specific timeframe and distribute them to members of its workforce that address specific HIPAA Security Rule provisions; and
prepare an implementation report and annual reports with respect to its compliance with the CAP.
The OCR director noted in the OCR’s press release that, “Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information… large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Phishing emails are, unfortunately, common in the health care delivery system and in all industry sectors. The Anthem OCR settlement and class action lawsuit payment underscore the critical importance of having a robust and compliant HIPAA Security Rule program that is regularly monitored, updated and on which its workforce is trained.