Anthem, Inc. will pay $16 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle violations of the HIPAA Privacy and Security Rules. This settlement marks the largest ever HIPAA fine, in one of the most extensive health data breaches in history. Almost 79 million patients’ electronic protected health information (ePHI) was exposed in the Anthem data breach.
This is the highest HIPAA settlement in the history of HIPAA enforcement. The Anthem HIPAA fine nearly triples the previous high of $5.55 million paid to OCR by Advocate Health Care in 2016.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.
OCR’s investigation revealed that the compromised protected health information (PHI) involved in the Anthem breach included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information and was stolen between December 2, 2014 and January 27, 2015.
Anthem HIPAA Fine: What We Know
Indianapolis-based Anthem is a health insurance company, the largest for-profit company in the Blue Cross and Blue Shield Association. It provides medical care and coverage to one in eight Americans through all affiliated health plans. The cyberattacks exposed ePHI that Anthem maintained for its affiliated health plans and any other covered entity health plans.
On March 13, 2015, Anthem filed a breach report with OCR detailing the cyber-security breach, which was discovered on January 29, 2015. Cyber-attackers gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack with the apparent purpose of extracting data, also known as an advanced persistent threat attack. Following the breach report, Anthem discovered that hackers accessed its system through phishing emails, a common method for cyberattacks. Hackers sent the phishing emails to an Anthem subsidiary after at least one employee responded to a malicious email, opening the door to further attacks, according to OCR.
In addition to the compromised ePHI, OCR’s investigation discovered that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, dating back as early as February 18, 2014.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” Director Severino said. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
In addition to the $16 million settlement, Anthem agreed to undertake corrective actions to comply with HIPAA Rules. The resolution agreement and corrective action plan can be found on the OCR website.