Anthem, Inc. has agreed to pay $16 million to the Office for Civil Rights (OCR) and has accepted a corrective action after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information (ePHI) of almost 79 million people.

Anthem is one of the nation’s largest health benefits companies.  They provide medical care coverage to about one in eight people in the U.S.

The OCR press release provides details about the breach and the settlement.

Anthem filed a breach report to the OCR in March 2015 for the breach that occurred in January 2015.  Anthem discovered that cyber-attackers had gained access to their network and were continually extracting information.  This is often called an advanced persistent threat attack.  The issue with these types of attacks is that the attacker can go undetected for a large amount of time.

Upon further investigation, Anthem discovered that the attackers were able to gain access to the network through spear phishing emails that were sent to an Anthem subsidiary.  At least one employee responded to the malicious emails, which opened the virtual door to more attacks.

The OCR discovered that between December 2, 2014, and January 27, 2015, the attackers stole the ePHI of almost 79 million individuals.  This information included patient names, social security numbers, addresses, dates of birth, employee information, medical identification numbers, and email addresses.

Dan Severino, the OCR director, stated in the release that he believes the largest health care data breach in US history also warrants the largest settlement. The last highest settlement was $5.5 million, the release states; quite a jump. Anthem also made another major HIPAA violation by failing to conduct an enterprise-wide risk analysis.  Remember, the risk analysis or risk assessment is mandatory for HIPAA compliance.

Additionally, the OCR found that Anthem had insufficient procedures for regularly reviewing information system activity, causing the failure to identify and respond to security incidents.  Anthem also failed to implement proper access controls, which would have reduced the amount of information an attacker might find.

In addition to this large OCR fine, Anthem will “undertake a robust corrective action plan to comply with the HIPAA rules.”

To learn more about the HIPAA rules and how to protect your organization from costly fines, we offer educational material such as training videos and information sliders in the risk assessment. If Anthem had been using HIPAAgps, maybe their fines would not have been quite as lofty and maybe their employee would not have fallen for the phishing attack. We have training to help your organization recognize these kinds of attacks and better protect your patients’ PHI.