Anthem, Inc. has agreed to pay a record-setting $16 million to the US Department of Health and Human Services’ Office for Civil Rights (OCR) to settle alleged HIPAA violations in connection with Anthem’s 2015 health data breach that affected almost 79 million people.  In addition to the settlement amount, Anthem agreed to a substantial Corrective Action Plan (CAP) to comply with HIPAA.

The $16 million settlement is nearly three times the previous record of $5.55 million. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.

The breach occurred when hackers gained access to Anthem’s IT systems after an employee from one of Anthem’s subsidiaries opened a spear phishing email deployed by the hackers.  From December 2, 2014 to January 27, 2015, the hackers stole the electronic Protected Health Information (ePHI) of nearly 79 million people, including their names, social security numbers and dates of birth.

In response to media reports of the breach and information on Anthem’s website concerning the incident, OCR initiated a compliance review of Anthem.  In addition to the impermissible disclosure of ePHI, OCR’s investigation found that Anthem allegedly failed to conduct an enterprise-wide risk analysis, did not regularly review information system activity, failed to identify and detect security incidents and failed to implement sufficient minimum access controls.

The settlement with Anthem is notable in several respects.  First, the size of the settlement amount is far greater than in previous settlements.  Second, the settlement appears to target Anthem’s role as a business associate to Anthem Affiliated Covered Entities (ACE).  This makes Anthem the third OCR settlement with a HIPAA business associate.  Third, as part of the CAP, Anthem agreed to establish policies and procedures “to address access between Anthem systems containing ePHI, such as network or portal segmentation, and provisions to enforce password management requirements, such as password age.”  This aspect of the CAP is significant given that neither HIPAA regulations nor guidance expressly require network segmentation.  That said, adopting such policies and procedures is a good practice and helps to thwart the common hacker tactic of stealing administrator privileges and then using those credentials to move laterally across a network.

OCR’s findings are in sharp contrast to the results of a national investigation into the same breach that was led by seven state insurance commissioners.  That investigation, the results of which were released in January 2017, found that Anthem took reasonable measures to protect its data prior to the breach.  Anthem reportedly paid more than $260 million dollars for security improvements and remedial actions in response to the breach, which appeared to be a factor in the decision of those state insurance commissioners not to impose administrative fines or sanctions.

The Anthem settlement pushes the total amount of fines for HIPAA violations in 2018 to almost $25 million − also a new record.  However, it is yet to be seen whether this settlement signals higher settlements in HIPAA enforcement actions generally, or should be attributed solely to the large number of affected individuals.

A clear message

The settlement should be viewed as a clear message that OCR will continue to enforce HIPAA vigorously in the Trump era.

To avoid potentially large fines resulting from a HIPAA violation, covered entities and business associates should assess their privacy and security programs and regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.  These entities should conduct a HIPAA risk assessment, which is a comprehensive assessment of risks to ePHI, as required under the Security Rule.  Risk assessments, which are an essential step in managing cyber-risk, take time to perform, as evident from the seven months that Anthem was given by the CAP to provide a risk assessment.

With 24 OCR settlements to date against companies for failing to conduct an accurate and thorough risk assessment under HIPAA, OCR has made it clear that inaction on risk assessments will result in an enforcement action.

Learn more about this settlement and its implications by contacting either of the authors.