The Department of Health and Human Services, Office for Civil Rights (OCR) has announced a record HIPAA settlement with healthcare insurance giant Anthem following a mega-breach dating back to 2015. The $16 million settlement fee is the largest the country has ever seen, eclipsing the $5.55 million that was agreed with Advocate Health Care in 2016. In announcing the breach, regulators highlighted the fact that the insurer failed to take basic security steps which led to the leak of the protected health information (PHI) of nearly 79 million individuals.
Anthem Inc. is an independent licensee of the Blue Cross and Blue Shield Association, and America’s second largest health insurer. In January 2015, Anthem discovered that its cyber defenses had been breached and criminals had gained access to systems containing sensitive member data.
OCR reports that the breach began when the attackers gained access to Anthem’s IT infrastructure through spear phishing emails that were sent to an Anthem subsidiary, where at least one employee responded to the malicious email. After further investigation, OCR found that between December 2, 2014, and January 27, 2015, the ePHI of almost 79 million individuals was stolen, including names, Social Security numbers, and medical identification numbers.
OCR’s investigation found that in addition to the disclosure of ePHI, “Anthem failed to conduct an enterprisewide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber attackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014.”
The rise of phishing scams
Phishing emails are an increasingly common method used by cyber attackers and this not the first large-scale phishing breach of 2018. Earlier this year UnityPoint Health filed a breach report stating 1.4 million patients had been compromised as a result of a phishing scam. So severe is the threat, that Verizon’s 2018 data breach report revealed almost half (43%) of data breaches now stem from phishing attacks. The size of the Anthem settlement acts as an unpleasant reminder to healthcare organizations who deal with sensitive data to ensure they are staying on top of their cybersecurity requirements. 2018 has already been a busy year for the OCR with a number of large data breaches being reported in the first 6 months, however, none of those were anywhere near the size of this breach. OCR Director Roger Severino explained, “the largest health data breach in U.S. history fully merits the largest HIPAA settlement in history”.