More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. 

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in an OCR press release. This settlement is nearly three times the previous high of $5.55 million that Advocate Health paid in 2016 for a breach affecting more than 4 million patients.

According to OCR’s allegations, Anthem failed to conduct a system-wide risk analysis, had insufficient procedures to review system activity, failed to identify and respond to security incidents and failed to implement adequate minimum access controls to prevent access to electronic protected health information (ePHI).

Given the size of the breach, the record-setting settlement amount is not surprising. Notably, a failure to perform a comprehensive risk analysis continues to result in large settlement amounts with OCR after a breach. (See our previous blog posts: $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each and OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity).

Accordingly, HIPAA covered entities must perform a system-wide risk analysis that complies with the HIPAA Security Rule as well as perform periodic updates as necessary. That risk analysis, along with evidence of measures implemented to address vulnerabilities identified in the risk analysis, will be the first thing OCR requests in an investigation involving a breach of ePHI.