Anthem On the Hook for $16M to U.S., $115M to Consumers

As a result of a single data breach of protected health information (PHI), albeit one affecting 79 million consumers, Anthem Inc. is now being fined $16 million by the government and owes an additional $115 million to those affected, who won a class action lawsuit that was approved by a judge this past August.

anthem-fined-$16-million-for-hipaa-breachThe $16 million HIPAA violation fine is the largest ever. The $16 million settlement eclipses the previous high of $5.55 million paid to the regulatory agency, the Office for Civil Rights (OCR), in 2016. OCR is the branch of the Department of Health and Human Services (HHS) that monitors and regulates companies governed by the HIPAA privacy and security rules.

The $115 million to consumers will cover any expenses suffered from the breach and will also provide two free years of credit monitoring and identity theft protection for all 79 million. (Those who can show they already pay for such services will receive a cash reimbursement.)

On March 13, 2015, Anthem filed a breach report with OCR detailing that, on Jan. 29, 2015, the company discovered cyber-attackers had gained access to its IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.

After filing its breach report, Anthem discovered cyber-attackers had infiltrated its system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between Dec. 2, 2014 and Jan. 27, 2015, the cyber-attackers stole the PHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of medical data, OCR’s investigation revealed that Anthem had failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, had failed to identify and respond to suspected or known security incidents, and had failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive PHI, beginning as early as Feb. 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA rules.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.

NOTE: The details in this blog are provided for informational purposes only. All answers are general in nature and do not constitute legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The author specifically disclaims any and all liability arising directly or indirectly from the reliance on or use of this blog.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Comments (required)*