Anthem, Inc., a health insurance company and the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, has been levied the largest ever fine for a HIPAA violation for the February 2015 attack on their servers which saw over 78.8 million records stolen.
The Anthem data breach settlement of $16 million is nearly three times the previous record-holder for largest HIPAA fine ($5.55 million) and reflects the severity of the Anthem Inc data breach. The breach extended into multiple brans Anthem, Inc. uses.
The size of the fine reflects the extent to which Anthem, Inc. was found to be in violation with HIPAA Rules during the course of the investigation that was launched into the incident.
The Department of Health and Human Services’ Office for Civil Rights (OCR), the main enforcer of HIPAA Rules, launched a HIPAA compliance review of Anthem in February 2015 when news of the massive cyberattack was reported in the media. Anthem only submitted their official notification to OCR that a breach had even occurred a month after OCR’s investigation had started.
Anthem discovered the cyberattack in late January 2015. Anthem launched an internal investigation into the breach, and contracted a third-party cybersecurity firm Mandiant to assist with their investigation. It was discovered the attackers first gained access to its systems in December 2014. Access to its systems remained possible until January 2015 during which time the protected health information (PHI) of 78.8 million plan members was stolen.
The attack started with spear phishing emails sent to one of its affiliates. Spear phishing involves attacks directed at specific individuals or companies. It is not uncommon for scammers to obtain background information on their victims by searching social media profiles such that the email seems more realistic. The employee responded to the email, which allowed the hackers to gain access to the organisation’s network. This allowed them to steal highly sensitive information of Anthem’s plan members, including names, addresses, email addresses, employment details, and Social Security numbers. Due to the sensitive nature of this information, those affected by the breach are at risk of becoming victims of identity theft, or having their data used for nefarious purposes.
OCR’s compliance review revealed several areas where Anthem Inc., has failed to fully comply with HIPAA Rules. OCR alleged that Anthem had failed to conduct a full risk analysis to identify threats to ePHI, in violation of 45 C.F.R. § 164.308(u)(1)(ii)(A).
In addition to this violation, OCR determined that insufficient policies and procedures had been implemented to review records of information system activity in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D), and there was a failure to restrict access to its systems and data to authorized individuals – a violation of 45 C.F.R. § 164.312(a).
Anthem had failed to prevent unauthorised individuals from accessing ePHI, which is a fundamental requirement of HIPAA-45 C.F.R. § 164.502(a).
These violations, when compounded, were deemed to be significant enough to justify the huge fine with which Anthem, Inc. had been levied.
Anthem chose to settle the case and pay a substantial penalty with no admission of liability. A robust corrective action plan has also been adopted to address HIPAA failures and ensure security is improved.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director, Roger Severino. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
The size of the HIPAA penalty reflects the scale of the breach. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said Severino.
In addition to paying this fine, Anthem faced several civil class-action lawsuits, which were settled in 2017 at a cost of $115 million. Again, Anthem, Inc. did not admit to any wrongdoing in the settlement.