The Danger of Disregarding Risk Analysis: The case made by Anthem’s $16m HIPAA Settlement

by ih-coc admin

by Jay Hodes, President - Colington Consulting

Anthem, Inc., a defined Business Associate that provided administrative support services for the Anthem Affiliated Covered Entities (Anthem ACE), has committed to a $16 million settlement to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). This is the largest settlement ever announced by OCR.  The outcome of this investigation determined a high risk of HIPAA Security Rule and HIPAA Privacy Rule violations due to a series of “undetected continuous and targeted cyber attack[s] for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack” that exposed the ePHI of approximately 79 million users between December 2, 2014 and January 27, 2015, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. 

The risk was found to have originated via a malicious email phishing attack that at least one Anthem, Inc. employee responded to, thus allowing the cyber attackers easy access. 

The following are the potential violations uncovered by the HHS investigation: 

  • The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Anthem 
  • The requirement to implement sufficient procedures to regularly review records of information system activity 
  • The requirement to identify and respond to detections of the security incident leading to this breach 
  • The requirement to implement sufficient technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights 
  • The requirement to prevent unauthorized access to the ePHI of 78,800,000 individuals whose information was maintained in Anthem's enterprise data warehouse

 The Corrective Action Plan (CAP) signed onto by Anthem includes the following terms: 

  • Conducting a detailed and thorough Risk Analysis within 90 days of the CAP’s effective date, including a Statement of Work (SOW) submitted to HHS detailing the process of this Risk Analysis. After receiving appropriate or necessary feedback and input from HHS, then Anthem has 150 days to implement new or updated security measures based on the Risk Analysis findings as well as consequent responses made to the Analysis by HHS.
  • Conducting a thorough review of policies and procedures to ensure thorough compliance with the HIPAA Security Rule.
  • Distributing all updated policies and procedures throughout Anthem’s network of employees and contractors, and ensuring proper transfer of training for this same content. 

As a CE or BA, not enough can be said about the dangers of storing ePHI without proper risk management and analysis. In my opinion, Anthem, Inc.’s payment and CAP is considered disproportionate to the potential violations carried out due to this breach and the number of individuals affected.

Consistent, periodic review of your organization’s security measures and risk management plan is key to ensuring ongoing compliance with the HIPAA Privacy Rule and HIPAA Security Rule.  Despite the size of your organization, effective overall HIPAA compliance program is vital and can help to prevent breaches from occurring.