HIPAA Breach Results in Highest Settlement in OCR History

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced earlier this month that is has entered into the largest settlement agreement in the history of the Department with Anthem, Inc., the largest Blue Cross and Blue Shield health benefit companies in the country.  Anthem, Inc. agreed to pay $16 million to HHS and take substantial corrective action to settle numerous potential violations of both HIPAA Privacy and Security Rules after it exposed protected health information (PHI) for nearly 79 million people.

In March 2015 Anthem filed a breach report with OCR after they discovered that their Information Technology (IT) systems were infiltrated by cyber-attackers who had gained access to their systems after an Anthem employee opened a phishing email.  This email released an undetected continuous persistent threat attack that permitted the cyber-attackers to access their systems from December 2014 through the end of January 2015.  This attack opened access that ultimately resulted in the PHI of nearly 79 million people to be stolen.

OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis.  Additionally, OCR determined that Anthem “failed to have sufficient policies and procedures to regularly review IT system activity, identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent impermissible access to electronic PHI.”

As part of the settlement, Anthem must comply with a Corrective Action Plan (CAP) for a period or two years.  As part of that CAP, Anthem must conduct an “accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Anthem.” This risk assessment must be submitted to OCR for review and approval.  The CAP includes the review, revision, and distribution of all written policies and procedures addressing Information System Activity Review and Access Control for systems containing ePHI.  The CAP requires regular and ongoing reporting to OCR for actions taken under the Plan and for any reportable events.

The day following the Anthem, Inc. settlement press release, OCR and the Office of the National Coordinator for Health Information Technology (ONC) announced that they have strengthened the Security Risk Assessment (SRA) Tool to improve functionality.  The SRA is designed for use by small to medium sized health care providers to help them identify risks and vulnerabilities to ePHI within their practices.  All HIPAA covered entities and business associations are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their organizations.

Ambulance services should conduct a comprehensive Risk Analysis of their systems.  This Risk Analysis should include all provisions and requirements under HIPAA.  While this settlement highlights the significant risks associated with ePHI and IT systems, there remains significant risks to PHI in non-electronic forms as well.  This settlement is a great illustration of how apathy or reduced focus can result in potentially devastating results.

Contact the American Ambulance Association (AAA) with questions or assistance regarding any HIPAA related or other ambulance service compliance issue.

Print Friendly, PDF & Email

Anthem, Blue Cross Blue Shield, HIPAA, Office of Civil Rights (OCR)


Scott Moore

Scott A. Moore, Esq. has been in the emergency medical services field for over 26 years. Scott has held various executive positions at several ambulance services in Massachusetts. Scott is a licensed attorney, specializing in Human Resource, employment and labor law, employee benefits, and corporate compliance matters. Scott has a certification as a Professional in Human Resources (PHR) and was the Co-Chair of the Education Committee for the American Ambulance Association (AAA) for several years. In addition, Scott is a Site Reviewer for the Commission on the Accreditation of Ambulance Services (CAAS). Scott earned his Bachelor’s Degree in Psychology from Salem State College and his Juris Doctor from Suffolk University Law School. Scott maintains his EMT and still works actively in the field as a call-firefighter/EMT in his hometown. Scott is a member of the American Bar Association, the Massachusetts Bar Association, the Society for Human Resource Management, and the Northeast Human Resource Association.

Leave a Reply