Anthem Data Breach Settlement of $16 Million Agreed with OCR

The biggest ever healthcare data breach in the United States has attracted the biggest ever penalty for noncompliance with HIPAA Laws. The Anthem data breach settlement of $16 million overshadows the earlier maximum HIPAA penalty of $5.55 million and reflects not only the harshness of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen but also the level of noncompliance with HIPAA Laws.

The Division of Health and Human Services’ Office for Civil Rights (OCR), the leading enforcer of HIPAA Laws, started a HIPAA compliance analysis of Anthem in February 2015 when news of the huge cyberattack was reported in the mass media. The inquiry was begun a complete month before Anthem informed OCR of the breach.

Anthem found the cyberattack in late January 2015. Anthem probed the breach, helped by the cybersecurity company Mandiant, and found the attackers initially gained access to its systems in December 2014. Entrance to its systems remained possible until January 2015 during which time the data of 78.8 million plan members was thieved.

The attack began with spear phishing electronic mails transmitted to one of its associates, the reply to which permitted the attackers to gain a footing in the network. From there they studied its systems and stole its data warehouse, thieving highly confidential information of its plan members, including names, employment details, email addresses, addresses, and Social Security numbers.

OCR’s compliance analysis exposed a number of areas where Anthem Inc., has failed to completely abide by HIPAA Laws. OCR declared that Anthem had failed to carry out a complete risk analysis to identify threats to ePHI, in violation of 45 C.F.R. § 164.308(u) (1) (ii) (A).

OCR also decided that inadequate policies and procedures had been applied to study records of information system activity in breach of 45 C.F.R. § 164.308(a) (1) (ii) (D), and there was a failure to limit access to its systems and data to approved people – a breach of 45 C.F.R. § 164.312(a).

HIPAA requires all protected units to avoid the illegal accessing of ePHI – 45 C.F.R. § 164.502(a) – which Anthem had failed to do.

Anthem selected to resolve the case and pay a considerable fine with no admission of liability. A robust corrective action plan has also been approved to tackle HIPAA failures and make sure safety is improved.

“Unluckily, Anthem failed to apply proper measures for identifying hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director, Roger Severino. “We know that big health care units are attractive targets for hackers, which is why they are expected to have strong password policies and to check and react to safety occurrences in a timely manner or risk implementation by OCR.” The size of the HIPAA fine reflects the scale of the break. “The biggest health data break in U.S. history completely merits the biggest HIPAA settlement in history,” said Severino.