- Anthem has agreed to pay a record $16 million, almost three times the previous highest HIPAA penalty, and to take correct actions to settle HIPAA violations that exposed the ePHI of close to 79 million people, OCR announced Oct. 15.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in announcing the settlement.
In 2015, Anthem admitted to a healthcare data breach, in which names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses of 78.8 million former and current customers were compromised.
Anthem filed a breach report with OCR on March 13, 2015, in which the Blue Cross and Blue Shield licensee informed the office that it discovered on Jan. 29 that attackers had gained access to its IT system through an advanced persistent threat cyberattack that extracted customer data.
After filing the breach report, Anthem discovered that a spearphishing attack at a subsidiary enabled attackers to steal additional data.
An OCR investigation found that Anthem had failed to conduct an enterprise-wide risk analysis, to put in place procedures for information system activity review, to identify and respond to security incidents, and to implement minimum access controls to stop attackers from accessing sensitive ePHI.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” Severino said.
“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
In the corrective action plan, Anthem has agreed to conduct an “accurate and thorough” risk analysis and provide to OCR within 90 days a statement of work for the risk analysis. Once the risk analysis is completed, Anthem will incorporate the results into its existing process for implementing security measures in order to reduce risk and vulnerabilities to a “reasonable and appropriate level as required by the HIPAA Security Rule.”
In addition, Anthem has agreed to review and revise written policies and procedures in compliance with HIPAA standards that govern the security of ePHI. Once approved by OCR, the health insurer will distribute these policies and procedures to its workforce.
The policies and procedure need to included processes for information system activity review and access controls, such as network segmentation and rigorous password management. If any employee fails to comply with these policies and procedures, Anthem must report the incident to OCR within 60 days.
Anthem must submit an implementation report to OCR within 120 days after the office finalizes its review of the revised policies and procedures. After that, Anthem must submit annual reports about its compliance with the corrective action plan, including any reportable events and the status of action taken to address these events. An officer of Anthem must attest to the accuracy of the annual reports.
Anthem is required to maintain all documents and records relating to its compliance with the corrective action plan for six years.
In an Oct. 15 statement quoted by AP, Anthem said it “takes the security of its data and the personal information of consumers very seriously. We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”
As part of the lawsuit settlement, Anthem agreed to provide victims a minimum of two years of credit monitoring and identity theft protection, cash instead of credit monitoring for those who can show they already have a credit monitoring service, and reimbursement of out-of-pocket costs traceable to the data breach.