The biggest health data breach ever has now resulted in the biggest fine that an entity has ever paid to the Department of Health and Human Services’ Office for Civil Rights (OCR). Anthem, Inc. has agreed to pay OCR a penalty of $16 million for the cyberattack that in 2015 exposed the protected health information (PHI) of almost 79 million people, OCR announced this week.
All of Anthem’s product lines were affected by the breach, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, and Blue Cross and Blue Shield of Georgia, among other brands. Through the breach, which occurred in January 2015, hackers gained access to “personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Hackers used spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks, according to OCR.
“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” an OCR press release states. “In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.”
Click here to read OCR’s corrective action plan for Anthem.
Kristi Fahy, RHIA discusses the role information governance plays in identifying and mitigating vulnerabilities, thus helping organizations prepare for and safeguard against cyberattack threats, in an IGIQ post that addresses the Anthem breach and penalty. Click here to read more.