February 24, 2020

February 24, 2020

Subscribe to Latest Legal News and Analysis

Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. 

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in an OCR press release. This settlement is nearly three times the previous high of $5.55 million that Advocate Health paid in 2016 for a breach affecting more than 4 million patients.

According to OCR’s allegations, Anthem failed to conduct a system-wide risk analysis, had insufficient procedures to review system activity, failed to identify and respond to security incidents and failed to implement adequate minimum access controls to prevent access to electronic protected health information (ePHI).

Given the size of the breach, the record-setting settlement amount is not surprising. Notably, a failure to perform a comprehensive risk analysis continues to result in large settlement amounts with OCR after a breach. (See our previous blog posts: $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each and OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity).

Accordingly, HIPAA covered entities must perform a system-wide risk analysis that complies with the HIPAA Security Rule as well as perform periodic updates as necessary. That risk analysis, along with evidence of measures implemented to address vulnerabilities identified in the risk analysis, will be the first thing OCR requests in an investigation involving a breach of ePHI.

© Copyright 2020 Murtha Cullina


About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...