[00:00.0 - 00:05.7] Anthem Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, [00:06.2 - 00:12.8] Office for Civil Rights, OCR, and take substantial corrective action to settle potential violations [00:12.8 - 00:18.7] of the Health Insurance Portability and Accountability Act, HIPAA, privacy and security [00:18.7 - 00:24.3] rules, after a series of cyberattacks led to the largest U.S.
health data breach in history [00:24.3 - 00:30.5] and exposed the electronic protected health information of almost 79 million people. The [00:30.5 - 00:37.2] $16 million settlement eclipses the previous high of $555 million paid to OCR in 2016. [00:37.8 - 00:42.5] Anthem is an independent licensee of the Blue Cross and Blue Shield Association, [00:42.5 - 00:47.4] operating throughout the United States, and is one of the nation's largest health benefits companies, [00:47.9 - 00:52.9] providing medical care coverage to one in eight Americans through its affiliated health plans.
[00:53.8 - 01:00.4] This breach affected electronic protected health information, EPHI, that Anthem Inc. [01:00.4 - 01:05.4] maintained for its affiliated health plans and any other covered entity health plans. [01:06.2 - 01:11.8] On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights, [01:11.8 - 01:18.4] detail-filling that, on January 29, 2015.
They discovered cyberattackers had gained access to [01:18.4 - 01:24.6] their IT system via an undetected, continuous, and targeted cyberattack for the apparent purpose [01:24.6 - 01:28.7] of extracting data, otherwise known as an advanced persistent threat attack. [01:29.4 - 01:35.1] After filing their breach report, Anthem discovered cyberattackers had infiltrated their system [01:35.1 - 01:40.2] through spear-phishing emails sent to an Anthem subsidiary after at least one employee responded [01:40.2 - 01:46.1] to the malicious email and opened the door to further attacks. OCR's investigation revealed [01:46.1 - 01:54.3] that between December 2, 2014 and January 27, 2015, the cyberattackers stole the EPHI of almost [01:54.3 - 02:00.8] 79 million individuals, including names, social security numbers, medical identification numbers, [02:01.4 - 02:06.4] addresses, dates of birth, email addresses, and employment information.
[02:07.0 - 02:12.1] The largest health data breach in U.S. history fully merits the largest HIPAA settlement in [02:12.1 - 02:18.0] history, said OCR Director Roger Severino. Unfortunately, Anthem failed to implement [02:18.0 - 02:23.1] appropriate measures for detecting hackers who had gained access to their system to harvest [02:23.1 - 02:28.4] passwords and steal people's private information.
Director Severino continued, [02:28.4 - 02:32.3] We know that large healthcare entities are attractive targets for hackers, [02:32.3 - 02:37.3] which is why they are expected to have strong password policies and to monitor and respond [02:37.3 - 02:41.6] to security incidents in a timely fashion or risk enforcement by OCR. [02:42.2 - 02:48.3] In addition to the impermissible disclosure of EPHI, OCR's investigation revealed that Anthem [02:48.3 - 02:53.3] failed to conduct an enterprise-wide risk analysis, had insufficient procedures to [02:53.3 - 02:59.1] regularly review information system activity, failed to identify and respond to suspected [02:59.1 - 03:04.2] or known security incidents, and failed to implement adequate minimum access controls [03:04.2 - 03:09.6] to prevent the cyber attackers from accessing sensitive EPHI, beginning as early as February [03:09.6 - 03:16.2] 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust [03:16.2 - 03:21.0] corrective action plan to comply with the HIPAA rules.
The resolution agreement and [03:21.0 - 03:33.1] corrective action plan may be found on the OCR website, https://hipaa4professionals.complianceenforcementagreements.anthemindex.html [03:33.1 - 03:44.0] source provided by AccessCloud Sync, HIPAA compliant file sharing solution, www.accesscloudsync.com
