Anthem Pays Largest HIPAA Fine

Anthem Pays Largest HIPAA Fine

Anthem paid a $16 million settlement resulting from a series of attacks in both 2014 and 2015 that had the potential to expose personal health information (PHI) of 79 million people.  Although they paid the $16 million settlement, Anthem does not admit to any wrong doing.  This represented the largest PHI breach in US history according to the Department of Health and Human Services (HHS). The $16 million settlement is the highest ever reached under HIPAA.

How HIPAA Breach Happened

Anthem discovered the breach in January of 2015 and notified HHS in March of 2015.  Hackers had accessed Anthem’s IT system via an undetected continuous and targeted cyberattack which was intent on stealing PHI.  The attack happened via spear phishing emails sent to an Anthem subsidiary.

The HHS Office of Civil Rights (OCR) was able to determine that hackers stole electronic PHI between December 2, 2014 and January 27, 2015 from 79 million people.  The stolen PHI included:

  • Names
  • Social Security numbers
  • Medical Identification Numbers
  • Addresses
  • Dates of Birth
  • Email Addresses
  • Employment Information

OCR was concerned because Anthem did not conduct an enterprise-wide risk analysis and did not have sufficient operating procedures to see system activity.  OCR also said that Anthem failed to identify and respond to suspected or known security incidents and failed to implement adequate minimum necessary access controls to prevent cyberattacks that began as early as February 18, 2014.

Another HIPAA Breach

Anthem has also agreed to pay a record $115 million to settle a class action lawsuit filed over the 2015 breach.  In addition to the settlement with OCR, Anthem has agreed to corrective actions to comply with HIPAA security rules.

Certified Professional Compliance Officer - CPCO

It is very important that breach security to all computer systems which hold PHI have well defined protocols and that all organizations make sure that they not only monitor all attempts to get into their system, but have systems and operating procedures addressing what should be done if there is a breach.  It is also recommended to hire a system security firm to try to breach all systems with PHI so that weaknesses can be identified and be plugged.   This would include sending the security testing firm sending spear phishing emails to staff to see if they “bite” and as a result, the security firm could breach.  Without testing the barriers, the organization will never know where the weaknesses are.  This should be the lesson that all take from this Anthem experience.

 

Barbara Cobuzzi

Barbara Cobuzzi

Barbara J. Cobuzzi, MBA, CPC, CENTC, COC, CPC-P, CPC-I, CPCO, AAPC Fellow, is a consultant with CRN Healthcare Solutions in Tinton Falls, N.J. She is consulting editor for Otolaryngology Coding Alert and has spoken, taught, and consulted widely on coding, reimbursement, compliance, and healthcare-related topics nationally. Barbara also provides litigation support as an expert witness for providers and payers.Cobuzzi is a member of the Monmouth, N.J., AAPC local chapter.
Barbara Cobuzzi

Latest posts by Barbara Cobuzzi (see all)

About Has 52 Posts

Barbara J. Cobuzzi, MBA, CPC, CENTC, COC, CPC-P, CPC-I, CPCO, AAPC Fellow, is a consultant with CRN Healthcare Solutions in Tinton Falls, N.J. She is consulting editor for Otolaryngology Coding Alert and has spoken, taught, and consulted widely on coding, reimbursement, compliance, and healthcare-related topics nationally. Barbara also provides litigation support as an expert witness for providers and payers. Cobuzzi is a member of the Monmouth, N.J., AAPC local chapter.

Leave a Reply

Your email address will not be published. Required fields are marked *