PHI Breach Penalty Dollars Rolling in for Healthcare Enforcement

PHI Breach

PHI BreachBy: Dave Davidson

It has been a busy autumn for the enforcement of health care privacy rights.  Recent activities range from settling the claim for the largest HIPAA violation in US history, to penalties imposed for filming TV shows, to actions initiated by state governments.  All of these actions confirm the serious position taken by regulators nationwide to protect the privacy of protected health information (PHI).

The Big One

On October 15, 2018, Anthem, Inc., an independent licensee of Blue Cross, paid $16 million to settle its claim with the HHS Office of Civil Rights (OCR), for a breach that compromised the PHI of 79 million people.  This was the largest reported breach in history.  The PHI breach occurred in 2015, when hackers initiated a “spearfishing” attack via fraudulent emails.  The government found that Anthem lacked appropriate information system procedures to identify and respond to security breaches, and minimum access controls to stop these kinds of attacks.

In addition to the financial penalty, Anthem agreed to a corrective action plan, in which it agreed to perform a risk analysis, and incorporate the results of the analysis into its existing processes, in order to achieve a “reasonable and appropriate level” of HIPAA compliance.

This settlement is in addition to the $115 million settlement Anthem reached last year with the victims of the breach.Continue reading