The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced earlier this month that is has entered into the largest settlement agreement in the history of the Department with Anthem, Inc., the largest Blue Cross and Blue Shield health benefit companies in the country.  Anthem, Inc. agreed to pay $16 million to HHS and take substantial corrective action to settle numerous potential violations of both HIPAA Privacy and Security Rules after it exposed protected health information (PHI) for nearly 79 million people. In March 2015 Anthem filed a breach report with OCR after they discovered that their Information Technology (IT) systems were infiltrated by cyber-attackers who had gained access to their systems after an Anthem employee opened a phishing email.  This email released an undetected continuous persistent threat attack that permitted the cyber-attackers to access their systems from December 2014 through the end of January 2015.  This attack opened access that ultimately resulted in the PHI of nearly 79 million people to be stolen. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis.  Additionally, OCR determined that Anthem “failed to have sufficient policies and procedures to regularly review IT system activity, identify…

This content is available only to AAA members.
Log In or Register
Print Friendly, PDF & Email