OCR HIPAA Penalties Reach $100 Million After Anthem Pays $16 Million for HIPAA Breach Settlement

OCR has issued a settlement fine to Anthem for potential HIPAA violations that led to a 78.8 million records breach in 2015. Anthem paid $16 million and took corrective action to resolve the compliance issues that OCR discovered during the breach investigation. Before this settlement, the largest HIPAA breach settlement was with Advocate Health Care in 2016 worth $5.55 million.

Anthem Inc. is the second biggest health insurer in America. In January 2015, Anthem discovered a breach of its systems, which allowed cybercriminals to access its members’ sensitive information. Cybersecurity company, Mandiant, helped Anthem investigate the breach and discovered that the persistent targeted cyberattack was intended to steal sensitive data.

The attackers accessed Anthem’s IT systems from December 2, 2014 to January 27, 2015. In this time period, the attackers were able to steal 78.8 million plan members’ data, which included names, birth dates, addresses, email addresses, medical identification numbers, occupation details, and Social Security numbers. The attackers sent spear phishing emails to Anthem’s subsidiaries to access the network and moved laterally to access the plan members’ information.

Anthem submitted the breach report to OCR on March 13, 2015. At that time, OCR was already investigating Anthem for HIPAA compliance, which actually began after Anthem posted a notice of the colossal scale breach on its website. The investigation revealed several potential HIPAA Rules violations. Anthem opted to settle the case without admitting liability.

Anthem was charged with the following alleged HIPAA violations:

  • 45 C.F.R. § 164.308(u)(1)(ii)(A) – Not conducting a complete risk analysis of the organization to track down possible risks to ePHI integrity, confidentiality and availability.
  • 45 C.F.R. § 164.308(a)(1)(ii)(D) – Not implementing regular evaluation of information system activity logs.
  • 45 C.F.R. § 164.308 (a)(6)(ii) – Not complying to the requirement to tag and respond to discoveries of a security incident contributing to a breach.
  • 45 C.F.R. § 164.312(a) – Not implementing adequate technical policies and procedures for managing electronic data systems and making sure that ePHI is beyond the access of unauthorized persons/software programs.
  • 45 C.F.R. § 164.502(a) – Inability to prevent unauthorized access of 78.8 million people’s ePHI that was stored in its data storage.

Anthem was unable to employ proper measures for identifying cyber attackers who accessed their system, harvested passwords and stole people’s private data. Big health care entities are particular targets of hackers, so it is important for them to have strong password policies and to monitor and respond to security incidents promptly or risk OCR enforcement.

Besides paying the OCR HIPAA settlement, Anthem also paid $115 million to settle a class action lawsuit filed on behalf of 19.2 million breach victims.

Considering the size of the financial penalties that Anthem had to pay for HIPAA settlement, the previous record for financial penalties for HIPAA violations has been overturned . Also, with the latest settlement OCR HIPAA penalties exceeded the $100 million mark. Not many HIPAA penalties have been issued in 2018, but penalties this year has risen by $1.4 million compared to the previous record year. With 10 weeks more before the end of 2018, the total is very likely to go higher.