Anthem Pays Largest HIPAA Fine
Anthem paid a $16 million settlement resulting from a series of attacks in both 2014 and 2015 that had the potential to expose personal health information (PHI) of 79 million people. Although they paid the $16 million settlement, Anthem does not admit to any wrong doing. This represented the largest PHI breach in US history according to the Department of Health and Human Services (HHS). The $16 million settlement is the highest ever reached under HIPAA.
How HIPAA Breach Happened
Anthem discovered the breach in January of 2015 and notified HHS in March of 2015. Hackers had accessed Anthem’s IT system via an undetected continuous and targeted cyberattack which was intent on stealing PHI. The attack happened via spear phishing emails sent to an Anthem subsidiary.
The HHS Office of Civil Rights (OCR) was able to determine that hackers stole electronic PHI between December 2, 2014 and January 27, 2015 from 79 million people. The stolen PHI included:
- Social Security numbers
- Medical Identification Numbers
- Dates of Birth
- Email Addresses
- Employment Information
OCR was concerned because Anthem did not conduct an enterprise-wide risk analysis and did not have sufficient operating procedures to see system activity. OCR also said that Anthem failed to identify and respond to suspected or known security incidents and failed to implement adequate minimum necessary access controls to prevent cyberattacks that began as early as February 18, 2014.
Another HIPAA Breach
Anthem has also agreed to pay a record $115 million to settle a class action lawsuit filed over the 2015 breach. In addition to the settlement with OCR, Anthem has agreed to corrective actions to comply with HIPAA security rules.
It is very important that breach security to all computer systems which hold PHI have well defined protocols and that all organizations make sure that they not only monitor all attempts to get into their system, but have systems and operating procedures addressing what should be done if there is a breach. It is also recommended to hire a system security firm to try to breach all systems with PHI so that weaknesses can be identified and be plugged. This would include sending the security testing firm sending spear phishing emails to staff to see if they “bite” and as a result, the security firm could breach. Without testing the barriers, the organization will never know where the weaknesses are. This should be the lesson that all take from this Anthem experience.