Harbinger or Anomaly? Anthem’s Data Breach Settlement with HHS

Late last week, the Office of Civil Rights for the Department of Health and Human Services (OCR) announced a $16 million settlement with health-insurance company Anthem, Inc. The settlement amount is nearly three times larger than any prior settlement with the OCR.

As a reminder, in 2015, Anthem suffered the largest reported health data breach in U.S. history.   The breach itself started the prior year, when an employee at an Anthem subsidiary opened a phishing e-mail containing malicious content. With that malicious code in place, the hacker was able to gain remote access to dozens of other systems within the Anthem enterprise. Eventually, in 2015, the attacker accessed the company’s enterprise warehouse — and from there — 78.8 million unique user records.  

After the breach was disclosed, Anthem became a target for private litigants and regulators alike. Individual litigants brought a nationwide class action, which ultimately settled for more than $115 million. And state regulators followed suit, conducting their own expansive investigations. 

And OCR ultimately entered the fray in February 2015, claiming that Anthem violated the Health Insurance Portability and Accountability Act’s (HIPPA) Privacy, Security, and Breach Notification rules. After a nearly three-year compliance review and investigation, OCR and Anthem settled.  In sharp contrast to past-OCR investigations and settlements, the terms of the Anthem settlement agreement are far broader and more prescriptive:

• Anthem must pay HHS $16 million in restitution.
• Anthem must conduct a “thorough” risk analysis of any potential risks and vulnerabilities to the confidentiality, integrity, and availability of Anthem’s electronic protected health information.
• Anthem must “review and revise” it's written data security policies and procedures.
• In the event an Anthem employee violates Anthem’s policies, it must notify HHS of the infraction.
• Anthem must provide HHS with annual reports on its compliance with the settlement agreement.

Previous OCR settlement agreements never exceeded $6 million. 

It remains unclear, however, whether the Anthem settlement is a harbinger for a more aggressive regulatory stance from OCR; or whether the size of the restitution figure was because, in OCR’s own words, the “largest health data breach in U.S. history fully merits the largest HIPAA settlement in history.”  To that end, we will continue to monitor OCR’s investigations and settlement agreements.