Share this article on:
OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals.
Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation.
The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.
Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted cyberattack conducted with the sole purpose of silently stealing sensitive data.
The attackers first gained access to its IT systems on December 2, 2014, with access continuing until January 27, 2015. During that time the attackers stole the data of 78.8 million plan members, including names, addresses, dates of birth, medical identification numbers, employment information, email addresses, and Social Security numbers.
The attackers gained a foothold in its network through spear phishing emails sent to one of its subsidiaries. They were then able to move laterally through its network to gain access to plan members’ data.
Anthem reported the data breach to OCR on March 13, 2015; however, by that time OCR was already a month into a compliance review of Anthem Inc. OCR took prompt action after Anthem uploaded a breach notice to its website and media reports started to appear indicating the colossal scale of the breach.
The OCR investigation uncovered multiple potential violations of HIPAA Rules. Anthem chose to settle the HIPAA violation case with no admission of liability.
OCR’s alleged HIPAA violations were:
- 45 C.F.R. § 164.308(u)(1)(ii)(A) – A failure to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.
- 45 C.F.R. § 164.308(a)(1)(ii)(D) – The failure to implement regularly review records of information system activity.
- 45 C.F.R. § 164.308 (a)(6)(ii) – Failures relating to the requirement to identify and respond to detections of a security incident leading to a breach.
- 45 C.F.R. § 164.312(a) – The failure to implement sufficient technical policies and procedures for electronic information systems that maintain ePHI and to only allow authorized persons/software programs to access that ePHI.
- 45 C.F.R. § 164.502(a) – The failure to prevent the unauthorized accessing of the ePHI of 78.8 million individuals that was maintained in its data warehouse.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said Roger Severino. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
In addition to the OCR HIPAA settlement, Anthem has also paid damages to victims of the breach. Anthem chose to settle a class action lawsuit filed on behalf of 19.1 million customers whose sensitive information was stolen. Anthem agreed to settle the lawsuit of $115 million.
2018 OCR HIPAA Settlements and Civil Monetary Penalties
Given the size of the Anthem HIPAA settlement it is no surprise that 2018 has seen OCR smash its previous record for financial penalties for HIPAA violations. The latest settlement takes OCR HIPAA penalties past the $100 million mark.
There have not been as many HIPAA penalties in 2018 than 2016(13), although this year has seen $1.4 million more raised in penalties than the previous record year and there are still 10 weeks left of 2018. The total is likely to rise further still.
OCR Financial Penalties for HIPAA Violations (2008-2018)
| Year | Settlements and CMPs | Total Fines |
| 2018 | 1 | $24,947,000 |
| 2017 | 1 | $19,393,000 |
| 2016 | 2 | $23,505,300 |
| 2015 | 3 | $6,193,400 |
| 2014 | 5 | $7,940,220 |
| 2013 | 5 | $3,740,780 |
| 2012 | 6 | $4,850,000 |
| 2011 | 6 | $6,165,500 |
| 2010 | 13 | $1,035,000 |
| 2009 | 10 | $2,250,000 |
| 2008 | 7 | $100,000 |
| Total | 59 | $100,120,200 |
Largest Ever Penalties for HIPAA Violations
| Year | Covered Entity | Amount | Settlement/CMP |
| 2018 | Anthem Inc | $16,000,000 | Settlement |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement |
| 2018 | University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement |
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty |