Six Lessons From Anthem's Pricey, Record-Setting Breach Settlements

No HIPAA covered entity (CE) or business associate (BA) wants to be the victim of a hacking and later face the compounded misery of enforcement actions by state or federal agencies, and perhaps worse, to be sued by people whose data weren’t properly safeguarded.

But that’s exactly the situation Anthem Inc. has found itself in—and not once, but twice. On Oct. 15, the HHS Office for Civil Rights announced a record $16 million agreement with the health plan, three times OCR’s previous high. Anthem also agreed to a two-year corrective action plan (see story, p. 1). Just two months earlier, Anthem settled a class action suit with a payment of $115 million, the largest amount on record for a data breach (RPP 9/18, p. 1).

These actions came in the wake of a 2014 hacking of Anthem’s systems that resulted in the exposure of protected health information (PHI) for a staggering 78.8 million people (RPP 3/15, p. 1).

An examination conducted for state insurance commissioners concluded that “Anthem appeared to have taken reasonable measures prior to the data breach to protect its computer network and data. Those measures included the implementation of cybersecurity technologies and procedures consistent with or exceeding those of a typical organization of its size and type.” But, it said, “the attacker was able to exploit certain cybersecurity gaps which allowed the data breach to occur.”

Since the breach was first reported, Anthem has continued to deny wrongdoing and maintains it has no evidence that harm ever came to affected individuals. But experts for plaintiffs’ attorneys disputed this, and alleged a host of security failings on the part of the health plan. Now that the dust has settled, so to speak, these items can serve as a list of what not to do(see story, p. 9).

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field