As a result of a single data breach of protected health information (PHI), albeit one affecting 79 million consumers, Anthem Inc. is now being fined $16 million by the government and owes an additional $115 million to those affected, who won a class action lawsuit that was approved by a judge this past August.
The $16 million HIPAA violation fine is the largest ever. The $16 million settlement eclipses the previous high of $5.55 million paid to the regulatory agency, the Office for Civil Rights (OCR), in 2016. OCR is the branch of the Department of Health and Human Services (HHS) that monitors and regulates companies governed by the HIPAA privacy and security rules.
The $115 million to consumers will cover any expenses suffered from the breach and will also provide two free years of credit monitoring and identity theft protection for all 79 million. (Those who can show they already pay for such services will receive a cash reimbursement.)
On March 13, 2015, Anthem filed a breach report with OCR detailing that, on Jan. 29, 2015, the company discovered cyber-attackers had gained access to its IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.
After filing its breach report, Anthem discovered cyber-attackers had infiltrated its system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between Dec. 2, 2014 and Jan. 27, 2015, the cyber-attackers stole the PHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
In addition to the impermissible disclosure of medical data, OCR’s investigation revealed that Anthem had failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, had failed to identify and respond to suspected or known security incidents, and had failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive PHI, beginning as early as Feb. 18, 2014.
In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA rules.
Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.