Insurer Pays Record Settlement Due To Data Breach

Anthem, the nation’s second-largest insurer, is set to pay an enormous sum to the U.S. Department of Health and Human Services (“HHS”) to settle claims over a data breach that was discovered in 2015. The data breach, which affected almost 79 million individuals, is the largest ever to be reported to HHS. The HHS Office of Civil Rights (“OCR”), which investigates such breaches, has reportedly settled Anthem’s violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for $16 million, which is $11.5 million more than the previous largest settlement paid to OCR.

As an independent licensee of the Blue Cross Blue Shield Association, Anthem is among the largest insurers in the country, projected to cover approximately one in eight Americans either directly or through one of its affiliated healthcare plans. OCR held Anthem responsible for the series of breaches carried out by hackers because, OCR reasoned, as a large healthcare entity, Anthem should have been cognizant of the fact that it is an attractive target for hackers and therefore should protect against, monitor for, and respond to security incidents in a timely manner.

OCR’s investigation showed that as far back as 2014, Anthem had failed to conduct an enterprise-wide security risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent cyber-attacks – all of which HIPAA requires of Anthem. The breaches giving rise to this settlement were carried out by hackers who gained access to Anthem’s systems through phishing emails sent to an Anthem subsidiary, which at least one employee responded to. This opened the door to ongoing cyber-attacks throughout the system.

Anthem filed a breach report, as required by HIPAA, on March 13, 2015, stating that they had discovered the breaches on January 29, 2015, and that the targeted cyber-attacks were aimed at extracting Anthem’s insureds’ protected health information (“PHI”). Of the 79 million individuals affected, OCR reports that the information stolen included names, social security numbers, medical identification numbers, dates of birth, email addresses, and employment information.

Anthem’s settlement with OCR is important for several reasons. First, it shows that OCR is increasing its number of investigations and the amount of penalties for HIPAA violations each year. Second, it stresses the importance of HIPAA compliance, not just to avoid huge penalties, but to protect patients from cyber criminals and potentially life-altering debacles that can come from identity theft or having one’s private information revealed. HIPAA is not a choice for those falling under its purview; there are annual requirements, as well as requirements that involve daily cognizance. If you have any questions on HIPAA compliance, requirements, or if you suspect a data breach, contact an attorney experienced in HIPAA compliance for guidance.