Anthem – the second largest health insurance provider in the US – has agreed to pay a record settlement of $16 million after an attack on its IT systems led to the massive breach of almost 79 million health records.

The payout is more than three times the previous record-breaking $5.5 million paid to The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) by Advocate Health Care Network in 2016, making Anthem’s case the largest healthcare hacking incident since the government began imposing financial penalties for violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy and Security Rules.

The cost of the fine is just the latest fallout from the 2015 data breach. Anthem had previously agreed to settle class action litigation by paying $115 million to approximately 19 million consumers, along with free credit monitoring and identity theft protection services.

The breach

According to the breach report filed by Anthem, which acts as a Business Associate for multiple organizations including Blue Cross/Blue Shield plans in more than a dozen states, the company filed a breach report in March of 2015, revealing that its IT system had been subject to a targeted cyberattack in which hackers had gained unauthorized access to electronic protected health information (ePHI). Anthem uncovered the breach in January 2015. However, the attackers had gained access to Anthem’s data warehouse, from which they had been harvesting data, many weeks before this.

Further investigations revealed that the hackers had used a popular cyberattacking technique known as spear-phishing to gain access to Anthem’s data; emails designed to look like legitimate communications from inside parties were sent to Anthem employees and its affiliate companies in the hope of tricking them into sharing access information, such as passwords and usernames. At least one employee failed to recognize the phishing emails as malicious and unwittingly granted the hackers access to the ePHI of nearly 79 million people, including names, Social Security numbers, dates of birth, employment information and medical IDs.​

The Feds – Insufficient defenses

Despite the fact that a previous investigation by a group of insurance regulators for five states—California, Maine, Missouri, New Hampshire, North Dakota, South Carolina— concluded that administrative fines or penalties were not warranted, HHS found a number of weaknesses in Anthem’s cyber defense efforts:​

  • No enterprise-wide risk analysis had been conducted.
    • This is required under HIPAA regulations. See 45 C.F.R. §164.308(a)(1)(ii)(A) – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information….”Security Risk Assessments (SRAs), which should be conducted at least annually or whenever a significant change is made to the system, would have identified the risks and vulnerabilities before the hackers could exploit their weaknesses.
    • Note the emphasis on ‘enterprise-wide’ above.The OCR has in the past fined companies for performing risk analyses within individual departments, but not at a level that would encompass the entire organization.
  • Failure to identify and respond to suspected or known security incidents.
    • The requirement to identify and respond to detections of the security incident leading to this breach described in 45 C.F.R. § 164.308 (a)(6)(ii).
  • Procedures for monitoring activity on IT systems were irregular and insufficient.
    • The need for regular auditing is clearly spelled out in C.F.R. §164.308(a)(1)(ii)(D). Once audit mechanisms are put into place, procedures must be implemented to “regularly review records of system activity, such as audit logs, access reports, and security incident reports.” In particular, healthcare organizations need to regularly review the logs of information system activity to see who is logging in to what system, when and from where, in order to spot potential unauthorized access to ePHI.
  • There had been no attempt to implement “adequate minimum access controls” in order to shut down intrusions as far back as February, 2014.
    • It is incumbent on healthcare providers to allow access only to those persons or software programs that have been granted access rights as specified in§ 164.308(a)(4) (see also 45 C.F.R. 164.312(a)). Companies need to ensure that individuals who are granted access to the information system are only authorized to access information needed to do their specific job and do not have the ability to access other areas of the information system that could contain protected healthcare information (PHI).
  • And finally, the OCR stated that the company did not live up to its obligation to prevent unauthorized access to the PHI of 78,800,000 individuals whose information was maintained in Anthem’s enterprise data warehouse.This requirement is defined in 45 C.F.R. .§ 164.502(a) Standard; A covered entity or business associate may not use or disclose protected health information, except as permitted or required….

The corrective action plan

As a result of the unauthorized disclosure of Anthem patients’ private information, the company must also complete a two-year corrective action plan to bring their cybersecurity practices in line with the HIPAA Security Rule. The action plan details several areas of concern and measures Anthem must take to address them, such as:

  • Conducting a full enterprise-wide risk analysis regarding any potential risks and vulnerabilities to the ePHI stored in their infrastructure.
  • Scrutinizing existing cyber security procedures to ensure compliance with HIPAA Security Rule.
  • Implementing effective access controls including network or portal segmentation and rigorous password management controls such as aging.

Once approved by OCR, the revised policy will be distributed to Anthem’s employees, including all those working within affiliate companies, therefore setting an enterprise-wide standard of cybersecurity. Should an employee fail to comply with these new procedures, Anthem will be bound to notify HHS within 60 days, and the company must provide annual reports on its compliance efforts.

With the increasing sophistication of cyber-attacks, the healthcare sector continues to be at major risk. The reputation and trust of healthcare organizations not only depends on their medical performance, but also their ability to safeguard patients’ confidential information.  Security on this scale does not come cheap, however.   Anthem has reportedly spent over $260 million in total for efforts to improve security and prevent another devastating data breach from ever occurring again.  The lesson here for healthcare providers and business associates that that an ounce of prevention is worth a pound of cure, and then some.