The Department of Health and Human Services Office for Civil Rights (OCR) announced this week that it has settled the largest health care data breach for the largest enforcement fine in history. OCR settled the massive data breach Anthem suffered in 2015 for $16 million—a substantially larger fine than any others assessed by OCR for HIPAA violations. The data breach included the names, birth dates, and Social Security numbers of nearly 80 million individuals. The data breach was caused when hackers spear-phished an Anthem employee and were able to access the system and the individuals’ health and personal information.
Following Anthem’s notification of the data breach, which is required by regulation, the OCR commenced an investigation and alleged that Anthem violated HIPAA when it failed to run risk analyses, lacked procedures to regulatory review activity on its system, failed to detect or respond to security incidents, and failed to have appropriate access controls in place. According to the OCR, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Anthem denies liability in the agreement with OCR.
According to the OCR, in addition to the payment of the fine, Anthem will take “substantial” measures to assess and monitor its cyber risks.
This settlement follows Anthem’s settlement with consumers in June 2017 for $115 million.