Anthem Mega-Breach: Record $16 Million HIPAA SettlementRegulators Say Health Insurer Failed to Take Basic Security Steps
Federal regulators have smacked health insurer Anthem Inc. with a record $16 million HIPAA settlement in the wake of a cyberattack revealed in 2015, which impacted nearly 79 million individuals. In announcing the largest-ever HIPAA fine, regulators noted the insurer failed to take several basic security steps, including conducting an enterprisewide security risk assessment.
See Also: API Security: Making Sense of the Market
The previous largest HIPAA settlement was $5.55 million paid by Advocate Health Care in 2016.
The Department of Health and Human Services' Office for Civil Rights says Anthem agreed to take "substantial corrective action" to settle potential HIPAA privacy and security rules violations after a series of cyberattacks led to the largest U.S. health data breach, exposing electronic protected health information.
"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," says OCR Director Roger Severino.
"Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information. We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR."
"The recent string of civil monetary penalty and settlement cases indicates that HHS OCR has no intention of slowing its enforcement of the HIPAA rules."
—Iliana Peters, Polsinelli
OCR notes that during its investigation into the breach, it identified several critical areas of security weakness that contributed to the incident. Those included:
- A lack of an enterprisewide security risk assessment - a common area of weakness that OCR often has cited in other HIPAA settlements;
- A lack of adequate minimum access controls;
- Insufficient procedures to regularly review information system activity;
- A failure to identify and respond to suspected or known security incidents.
Anthem, formerly known as Wellpoint, is one of the nation's largest health insurers. In its statement, OCR noted that the Anthem breach affected ePHI that Anthem maintained for its affiliated health plans and other covered entities' health plans.
While the Anthem case resulted from a massive breach, "as always, the breach was just the starting point for the investigation of this settlement case," says privacy attorney Iliana Peters of the law firm Polsinelli.
"In thinking through these potential violations, all could arguably have either prevented the breach itself, or could have significantly limited its scope," says Peters, a former senior adviser at OCR. "Such an approach to breach investigations is consistent with OCR's past enforcement - that is, past cases on OCR's website indicate that OCR will look to evidence of compliance prior to a security incident to determine whether the entity had implemented the controls required by HIPAA to protect the ePHI affected. "
On March 13, 2015, Anthem filed a breach report with the HHS OCR detailing that, on Jan. 29, 2015, the company discovered that cyberattackers had gained access to its IT system "via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack."
After filing a breach report with OCR, Anthem discovered cyberattackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary; at least one employee responded to the malicious email and opened the door to further attacks, OCR reports.
"OCR's investigation revealed that between Dec. 2, 2014, and Jan. 27, 2015, the cyberattackers stole the ePHI of almost 79 million individuals, including names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information," OCR notes.
"In addition to the impermissible disclosure of ePHI, OCR's investigation revealed that Anthem failed to conduct an enterprisewide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014."
The Anthem breach case has been the subject of several other legal actions and investigations. Those include a record $115 million settlement of a consolidated class action lawsuit against the company, and 2017 report issued by seven state insurance commissioners that a nation-state was behind the Anthem attack. While the report did not name a nation-state, experts have suspected China as being involved in the attack.
In a statement provided to Information Security Media Group, Anthem says it takes the security of its data and the personal information of consumers "very seriously." The insurer says it cooperated with OCR throughout its review and has a "mutually acceptable resolution."
Anthem adds: "At the time of the incident, our first priority was to ensure that our systems were secure, which we did by engaging a world-class security organization and the FBI. Additionally, we provided initial notice within four business days and credit protections within 11 business days. We are not aware of any fraud or identity theft that has occurred as a result of this incident."
Under its resolution agreement, Anthem has agree to undertake "a robust corrective action plan."
Among the corrective actions that Anthem has agreed to take are:
- Conducting an accurate and thorough risk analysis, subject to HHS review and critique. "If HHS identifies deficiencies in the risk analysis ... HHS shall provide Anthem with written technical assistance, as necessary. ... Upon receiving any recommended changes to the risk analysis to confirm compliance with ... the [HIPAA] Security Rule, Anthem shall have 30 days to revise the risk analysis and provide the revised risk analysis to HHS for review. This process shall continue until HHS determines the risk analysis has been completed in accordance with ... the security rule. "
- Reviewing and revising, as necessary, its written security policies and procedures, and distributing them to its workforce. That includes review of Anthem's access controls ... "to address access between Anthem systems containing ePHI, such as network or portal segmentation, and provisions to enforce password management requirements, such as password age."
- Investigating and acting upon reportable events. "In the event that Anthem receives information that a workforce member subject to the policies and procedures adopted by Anthem ... may have failed to comply with those policies and procedures, Anthem shall promptly investigate this matter... and report to HHS including a description of the event ... and actions taken and any further steps Anthem plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including sanctions, if any."
It's important to note that the impermissible disclosures at issue in this case, as cited in the Anthem resolution agreement with OCR, "were the result of 'unauthorized access' to the ePHI of nearly 79 million individuals," Peters says.
"Regulated entities sometimes forget that exfiltration, or some other way of obtaining ePHI, is not necessary for an impermissible disclosure violation, given the definition of an impermissible disclosure under the HIPAA rules and the definition of a breach under the HITECH Act," she says. "Providing unauthorized access to PHI alone under HIPAA constitutes an impermissible disclosure, and, if there is not low risk to the PHI, a breach."
The settlement with Anthem is a strong signal by OCR to the healthcare sector that the agency remain serious about its HIPAA enforcement activities, Peters says.
The record settlement with Anthem is the agency's fifth enforcement action so far this year, totaling $24.9 million in penalties. By comparison, OCR had 10 enforcement actions in 2017, totaling $19.4 million in settlements and fines, and 13 actions in 2016, totaling $23.5 million.
"The recent string of civil monetary penalty and settlement cases indicates that HHS OCR has no intention of slowing its enforcement of the HIPAA rules," Peters contends.
Independent compliance attorney Paul Hales says the $16 million settlement "is eye-catching evidence of OCR's commitment to enforce HIPAA. Anthem would be liable for significantly larger civil monetary penalty if it did not settle - and is still liable if it fails to meet OCR's corrective action plan requirements."
Lessons to Learn
OCR's findings of Anthem's security shortcomings "are not surprising," Hales says.
"Failure to perform a risk analysis and manage identified risks is the most serious HIPAA violation among covered entities and business associates of all types and sizes. Risk analysis and risk management is the basis of a HIPAA compliance program," he says.
"Enterprisewide, site-specific risk analysis and risk management are essential. Safeguards to address identified risks threats must be established or strengthened as appropriate."
Among key lessons emerging from the Anthem settlement is that "healthcare organizations of all sizes must place a greater emphasis on protecting patient confidentiality as well as the information security of the electronic information systems that handle PHI," says privacy attorney David Holtzman of the security consultancy CynergisTek. "This can only be accomplished by finding the right balance of administrative policies, physical security protections and technological controls that effectively manage the risk to health information identified through an enterprisewide risk analysis," he adds.
"I truly believe that the real motivator today for what entities are doing around data security is no longer compliance or enforcement, but the impact and cost to the business that cyber incidents are now having. ... You need good security because it's the right thing for the business, not because you may get caught, and incidents are more costly than fines."
Tom Walsh, founder of consulting firm tw-Security, notes that OCR's findings about Anthem are consistent with other past breach settlements and corrective action plans. "Most of the findings deal with the lack of documentation and process discipline on the part of the information technology staff," he says. "Anyone who has worked in IT or works with IT people knows that, in general, IT folks are not good at documenting things."
To pay the penalty, "Anthem will likely be raising the premiums for its members," Walsh contends. "Is it fair that health plan members have to cope with their data being compromised and possible harm to them as well as being expected to help pay for Anthem's penalty too?"
Walsh says he believes there is some culpability on the part of the Anthem executives. "Executives approve budgets, which means they can determine how much money will be allocated to information security used for protecting members' privacy. Industry surveys indicate that information security professionals repeatedly identify 'underfunding' as an issue. A review of internal risk analysis, risk management plans and requests/approvals for budgets may be revealing here," he notes.
"Perhaps if a portion of the OCR penalty came out of executive pay or bonuses, more money will filter down to security? If executives were asked to bear some of the financial burden of a fine/penalty - which they won't - it would increase executive involvement with information security and privacy."