On Oct. 15, 2018, the HHS and OCR issued a press release describing a $16M penalty against Anthem (an independent licensee of the Blue Cross Blue Shield association) for a HIPAA breach that occurred on Jan. 29, 2015. This breach is the largest in US history and involved a series of cyberattacks resulting in the exposure of electronic protected health information (ePHI) of nearly 79 million people. Anthem must pay the imposed $16 million civil monetary penalty, which is the largest settlement imposed by HHS for a HIPAA breach, and take substantial corrective action to avoid future HIPAA breaches.
Anthem self-reported the breach to HHS on March 23, 2015 explaining that a cyberattack initially occurred on Jan. 29, 2015 as a result of at least one employee responding to a malicious spear-phishing email sent by hackers. The attackers gained access to Anthem’s IT system and opened the door for further attacks. This type of attack is known as an advanced persistent threat. The cyber attackers stole the ePHI of 79 million people including their names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.
In the press release, HHS indicated that Anthem failed to implement appropriate measures for detecting hackers. The investigation revealed that Anthem did not conduct a sufficient enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent cyber attackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014. “Healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Anthem entered into a resolution agreement with the OCR that, in addition to the penalty, requires Anthem to undertake a corrective active plan to comply with the HIPAA rules. While the agreement isn’t an admission or a concession that Anthem was in violation of the HIPAA rules, it does describe the investigation results that found Anthem had not:
- Conducted an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI held by Anthem
- Satisfied the requirement to implement sufficient procedures to regularly review the records of information system activity
- Identified and respond to detections of a security incident (leading to this breach)
- Implemented technical policies and procedures for electronic information systems that maintain ePHI to allow access to only those persons or software programs that have been granted access rights
- Prevented the access of ePHI to 78.8 million individuals stored in the enterprise data warehouse
The corrective action plan requires Anthem to conduct a company-wide risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Anthem. Anthem must also develop policies and procedures for the regular review of records of information system activity collected by Anthem and the processes for evaluating when the collection of new or different records needs to be included in the review. Access controls, such as network or portal segmentation and password management requirements, must also be created to protect the access between Anthem systems containing ePHI.
Anthem must submit an annual report to clarify the status of any findings and to ensure ongoing compliance with the corrective action plan. If HHS determines that Anthem hasn’t complied with the corrective action plan, it may impose additional civil monetary penalties.
This is another example of the ongoing diligence required for employers to comply with HIPAA policies and procedures to both prevent a breach and to respond once a breach occurs.
HHS press release »
Resolution Agreement »