Case of the Month: Anthem Settles Massive HIPAA Breach Case for Record $16 Million

Pop Quiz: What’s the highest amount a health care entity ever paid to the HHS Office for Civil Rights (OCR) to settle a HIPAA violation?

The answer used to be $5.5 million paid by Advocate Health back in July 2016. But now that record has been shattered to smithereens thanks to the newly announced Anthem $16 million HIPAA settlement.

What Happened
Everything about this story is super-sized—not just the settlement amount but the entity that paid it, Anthem, the nation’s second largest health insurer providing coverage one in eight Americans. Of equal magnitude were the cyberattacks it experienced in 2015 which compromised the PHI of nearly 79 million people affiliated with Anthem heath plans, the largest health data breach in history.

One of the malevolent aspects of the story is that the hackers apparently worked for a foreign government. But the methods he/she used to get into Anthem’s IT system are the same ones used against your lab every day, namely, a sustained series of phishing emails to employees posing as correspondences from trusted sources asking for passwords access information. Employees who should have known better bit, prying the doors wide open.

Anthem discovered the attacks on Jan. 29, 2015 and filed a breach report with the OCR on March 13. OCR investigators discovered that the attacks actually began in early December 2014 and that the data extracted included names, social security numbers, medical identification numbers, addresses, birth dates, email addresses and employment information of nearly 79 million individuals.

What Anthem Did Wrong
The OCR investigation concluded that Anthem didn’t do enough to prevent and contain the attacks. Deficiencies cited included:

• Failure to conduct enterprise-wide risk analysis;
• Inadequate procedures for regular review of information system activity;
• Failure to detect and respond to suspected or known security incidents; and
• Failure to implement adequate minimum access controls to prevent cyberattacks.

The Price Tag & Lessons
The $16 million Anthem has agreed to pay OCR to settle its HIPAA liabilities is in addition to the $115 million the insurance giant shelled out to settle a class action with the victims, a record for a health data breach civil lawsuit.

The settlement isn’t just about money. Anthem also had to accept a draconian Corrective Action Plan requiring specific improvements to its data security systems to ensure compliance with HIPAA requirements, including:

• A Risk Analysis program;
• Detailed IT policies and procedures;
• Mandatory information security training; and
• Annual progress reports to OCR.