Anthem Inc. has agreed to pay $16 million to settle HIPAA allegations related to the historic data breach the insurer suffered in 2015. The record amount of the resolution agreement, announced October 15 by the U.S. Department of Health and Human Services (HHS), is nearly triple the previous high of $5.5 million.
Anthem is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans. Its breach affected electronic protected health information (e-PHI) that Anthem maintained for its affiliated health plans and other HIPAA-covered health plans, including many employers’ group health plans.
On March 13, 2015, Anthem filed a breach report with HHS’s Office for Civil Rights (OCR) detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.
After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing e-mails sent to an Anthem subsidiary, after at least one employee responded to the malicious e-mail and opened the door to further attacks. On investigating, the OCR determined that the cyber-attackers had stolen the e-PHI of almost 79 million individuals—including names, Social Security numbers, medical identification numbers, addresses, dates of birth, e-mail addresses, and employment information.
In addition to the impermissible disclosure of e-PHI, the OCR found that Anthem had failed to conduct an enterprisewide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive e-PHI.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
“Anthem takes the security of its data and the personal information of consumers very seriously,” according to the company’s own statement. “At the time of the incident, our first priority was to ensure that our systems were secure, which we did by engaging a world-class security organization and the FBI. Additionally, we provided initial notice within 4 business days, and credit protections within 11 business days. We are not aware of any fraud or identity theft that has occurred as a result of this incident.”