On October 15, 2018, the Department of Health and Human Services Office of Civil Rights (HHS-OCR) announced that Anthem, Inc. has agreed to pay a record-breaking $16 million to settle allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”) after multiple cyberattacks led to the largest ever data breach of health information in the U.S. The previous record HIPAA settlement was $5.5 million paid by Hollywood, Florida-based Memorial Healthcare Systems in 2016.

Anthem, Inc. is one of the nation’s largest health insurance companies, and it provides health coverage to one in eight Americans through its various affiliates. In January 2015, Anthem discovered that a previously undetected cyberattack known as an advanced persistent threat attack had given cyber-attackers access to Anthem’s IT system. Anthem then filed a breach report with HHS-OCR in March 2015.

HHS-OCR investigated and discovered that cyber-attackers initially gained access to Anthem’s system because at least one Anthem employee responded to malicious spear phishing emails. HHS-OCR’s investigation also discovered that the cyber-attackers had used Anthem’s system to obtain the electronic protected health information (ePHI) of almost 79 million people. The stolen ePHI included names, social security numbers, medical identification numbers, addresses, birth dates, email addresses, and employment information. Finally, HHS-OCR also concluded that Anthem failed to implement appropriate strategies to prevent the cyberattacks, such as conducting enterprise-wide risk analysis and adequately responding to suspected or known security incidents.

Commenting on the settlement, HHS-OCR’s Director Roger Severino stated that “Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” and that “large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

The attorneys at Chilivis Grubman assist healthcare entities of all types and sizes with HIPAA-related issues, including audits, assessments, and HHS-OCR investigations. For any questions, or if we can assist you in connection with such a matter, please contact us at (404) 262-6505 or sgrubman@cglawfirm.com.