In the wake of the largest U.S. health care data breach in history, Anthem, Inc., has agreed to pay $16 million to the Office for Civil Rights, which is a record settlement for alleged HIPAA violations. According to the Department of Health and Human Services (“HHS”), the previous high was a $5.55 million settlement paid in 2016. In addition to the monetary payment, Anthem has also agreed to take “substantial” corrective action to prevent a similar breach from occurring in the future.
The settlement arose out of a 2014 breach involving the electronic protected health information (“ePHI”) of nearly 79 million people. On January 29, 2015, Anthem discovered that hackers had gained accessed to its IT system through a persistent threat attack. Further investigation revealed that hackers had sent spear phishing emails to one of Anthem’s subsidiaries and at least one employee took the bait. Through that seemingly simple act, the hackers were then able to infiltrate Anthem’s system and compromise its stored ePHI, consisting of names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
Anthem has already agreed to settle the class action litigation filed on behalf of its consumers, which was approved in August of 2018. Anthem will pay $115 million to approximately 19 million consumers, which includes a pool of $15 million for out-of-pocket expenses, along with free credit monitoring and identity theft protection services. Anthem also agreed to nearly triple its annual spending on data security for the next three years and implement various cybersecurity controls and reforms, such as changing its data retention policies, adhering to specific remediation schedules, and conducting annual IT security risk assessments and settlement compliance review.
The Anthem breach places the spotlight squarely on the need for employee education and training, emphasizing that data security is as much a people problem as it is an IT problem. The best security measures in the world are only as good as those implementing them. As hackers become more sophisticated, companies who maintain sensitive data must become more vigilant, as even a minor lapse like opening a suspicious email can have devastating consequences. Indeed, as HHS noted in its press release, “OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI” well before the breach was discovered. You can read HHS’s press release here.
With cybersecurity experts stressing that being hacked is a not a question of if, but when, we would all do well to heed Ben Franklin’s advice that “an ounce of prevention is worth a pound of cure.”