Largest U.S. Health Data Breach in History
It was recently announced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that Anthem, Inc. has agreed to pay $16 million and take substantial corrective action to settle potential violations of the HIPAA Privacy and Security Rules. As reported by OCR, this is the largest U.S. health data breach in history! The electronically protected health information (ePHI) of almost 79 people was exposed after a series of cyber-attacks.
The OCR announcement goes on to say that the $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.
What information was exposed?
According to OCR's announcement, as part of their first breach report filed on March 13, 2015, Anthem revealed cyber-attackers gained access to their IT system via an undetected continuous and targeted cyber attack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. Following their initial breach report, it was learned that Anthem's system was infiltrated by cyber-attackers as a result of spear-phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR's investigation revealed that between December 2, 2014, and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
OCR also states that Anthem failed to do the following; conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.
An important reminder
When it comes to ePHI, failing to perform a security risk analysis and not having adequate safeguards or policies and procedures in place to prevent cyber-attackers from accessing data, is not an option. A key takeaway from this is that covered entities and business associates are responsible for following all HIPAA requirements, including safeguarding ePHI.
Please contact us by email: support@hcp.md or by phone: 855-427-0427 with any questions or concerns.