The largest ever healthcare data breach in the United States has attracted the largest ever fine for noncompliance with HIPAA Rules. The Anthem data breach settlement of $16 million eclipses the previous highest HIPAA fine of $5.55 million and reflects not only the severity of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen, but also the extent of noncompliance with HIPAA Rules.
The Department of Health and Human Services’ Office for Civil Rights (OCR), the main enforcer of HIPAA Rules, launched a HIPAA compliance review of Anthem in February 2015 when news of the massive cyberattack was reported in the media. The investigation was started a full month before Anthem notified OCR of the breach.
Anthem discovered the cyberattack in late January 2015. Anthem investigated the breach, assisted by the cybersecurity firm Mandiant, and discovered the attackers first gained access to its systems in December 2014. Access to its systems remained possible until January 2015 during which time the data of 78.8 million plan members was stolen.
The attack started with spear phishing emails sent to one of its affiliates, the response to which allowed the attackers to gain a foothold in the network. From there they explored its systems and plundered its data warehouse, stealing highly sensitive information of its plan members, including names, addresses, email addresses, employment details, and Social Security numbers.
OCR’s compliance review revealed several areas where Anthem Inc., has failed to fully comply with HIPAA Rules. OCR alleged that Anthem had failed to conduct a full risk analysis to identify threats to ePHI, in violation of 45 C.F.R. § 164.308(u)(1)(ii)(A).
OCR also determined that insufficient policies and procedures had been implemented to review records of information system activity in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D), and there was a failure to restrict access to its systems and data to authorized individuals – a violation of 45 C.F.R. § 164.312(a).
HIPAA requires all covered entities to prevent the unauthorized accessing of ePHI – 45 C.F.R. § 164.502(a) – which Anthem had failed to do.
Anthem chose to settle the case and pay a substantial penalty with no admission of liability. A robust corrective action plan has also been adopted to address HIPAA failures and ensure security is improved.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director, Roger Severino. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
The size of the HIPAA penalty reflects the scale of the breach. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said Severino.