In 2015, Anthem, Inc. (“Anthem”) discovered that criminal hackers had breached its electronic database and gained access to over 79 million records, including the records of at least 12 million minors. The protected health information obtained by the hackers included, among other information, names, addresses, dates of birth, medical IDs, and Social Security numbers. The hackers were able to gain access to the information by using a “spear phishing” email technique. At least one employee received a phishing email and responded to it, allowing the hackers to gain remote access to the employee’s computer and at least 90 other systems, including Anthem’s data warehouse.
Although the massive data breach was first discovered in January 2015, the breach actually began on February 18, 2014 – meaning the breach went undetected for almost a whole year. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who gained access to their system to harvest passwords and steal people’s private information,” said Office of Civil Rights (“OCR”) Director Roger Severino.
Anthem has agreed to pay $16 million to the Department of Health and Human Services’ (“HHS”) OCR and take corrective action to prevent potential violations of HIPAA rules in the future. While other breaches like this have occurred in the past, this was the largest health data breach in U.S. history, and the $16 million settlement is now the largest HIPAA settlement in history.