On October 15, 2018, HHS announced a $16 million settlement with Anthem, Inc. – the largest HIPAA settlement in history – following targeted cyberattacks in 2014 and 2015 that resulted in the theft of the ePHI of nearly 79 million individuals. (The previous record HIPAA settlement, for $5.55 million, was paid to HHS in 2016; see Legal Update, HHS Claims a Record Haul With $5.55 Million HIPAA Settlement and Practice Note, HIPAA Enforcement: Settlement Agreements.) Anthem is a widely known health insurer and administrative services provider for many employment-based health plans. From a HIPAA perspective, and for purposes of the HHS settlement, Anthem is a business associate regarding the ePHI it maintained for Anthem's affiliated health plans (as HIPAA covered entities) (see Practice Note, HIPAA Privacy Rule: Affiliated Covered Entities and Standard Document, HIPAA Business Associate Agreement).

HHS began investigating Anthem in early 2015 after media reports and information on Anthem's website indicated that the company had sustained an external cyber attack, which HHS characterized as an "advanced persistent threat attack" (see Article, Expert Q&A on the Impact of Cyber Attacks on Employer Group Health Plans and Related HIPAA Compliance). According to HHS, Anthem's systems were also compromised by "spear phishing" emails sent to a subsidiary; an employee responded to a malicious email and the attacks proliferated. In March 2015, Anthem provided HHS a breach notification informing the agency that cyber attackers had gained impermissible access to the company's IT system that maintained the ePHI of nearly 79 million individuals (see Practice Note, HIPAA Breach Notification Rules). The stolen ePHI included individuals' names, social security numbers, health identification numbers, birth dates, physical and email addresses, and employment information.

HHS's investigation identified potential violations of the HIPAA Privacy Rule and Security Rule, including requirements to:

(See Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements.)

In addition to the $16 million settlement payment, Anthem agreed to carry out a corrective action plan (CAP) addressing several aspects of HIPAA compliance (see HIPAA Privacy, Security, and Breach Notification Toolkit).

The $16 million question for health plan covered entities and their business associates in light of this latest HHS settlement is easier stated than resolved: how do we prevent ourselves from becoming the next target of cyber attackers bent on infiltrating our systems and stealing individuals' ePHI? HHS has begun providing tools for addressing cyber attacks, though some of these resources are geared more toward incident response than to preventing an attack in the first place (see Article, Expert Q&A on the Impact of Cyber Attacks on Employer Group Health Plans and Related HIPAA Compliance). In the Anthem settlement, HHS focuses on at least two compliance shortfalls that contributed to the breach – not conducting an accurate and thorough risk analysis of potential risks to ePHI and not regularly reviewing records of information system activity. Regarding the phishing emails described in this settlement, a recent HHS cybersecurity newsletter addressed tips for avoiding such an attack (for example, using multi-factor authentication).