Anthem, Inc. will pay $16 million and take “substantial corrective action” to settle potential violations of HIPAA after a series of cyber attacks exposed the electronic protected health information (ePHI) of almost 79 million people.
Additionally, the affected patients brought a class-action lawsuit against Anthem, which settled last year for $115 million.
Anthem is an independent licensee of the Blue Cross and Blue Shield Association, and is one of the nation’s largest health benefits companies. Anthem provides medical care coverage to one in eight Americans through its affiliated health plans.
On January 29, 2015, Anthem staff discovered that cyber attackers had gained access to their IT system through spear phishing emails sent to an Anthem subsidiary. At least one employee responded to the malicious email and opened the door to further attacks, according to Anthem’s breach report.
OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical ID numbers, addresses, dates of birth, email addresses, and employment information.
OCR’s investigation also found that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls beginning in February 18, 2014.
The $16 million settlement eclipses the previous high of $5.55 million paid to the Office of Civil Rights (OCR) in 2016. OCR referred to the Anthem breach as the “largest health data breach in U.S. history.”
In addition to the settlement, Anthem will undertake a “robust corrective action plan” to comply with the HIPAA Rules. Read more about the corrective plan here.
Lessons learned from the Anthem breach
- Anthem failed to conduct an enterprise-wide risk analysis. The risk assessment required for MIPS is only on the electronic PHI you have in your EHR. It is not enterprise-wide.
- Anthem had insufficient procedures to regularly review information system activity. HIPAA requires you to have procedures in place to review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- Anthem failed to identify and respond to suspected or known security incidents. Have you conducted workforce education on security incidents? Does your staff know what to do if they suspect or experience a security incident?
- Anthem failed to implement adequate minimum access controls to prevent cyber attackers from accessing ePHI. The FBI has warned that health care is lagging behind in technology, compared to other industries. Minimum necessary access is a concept that must be implemented in all organizations.
- Hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. Have you educated your staff about the techniques hackers use to manipulate people so they give up confidential information?