Anthem's $16M breach settlement reminds others to assess their cyber risks

Anthem's record-breaking data breach settlement last week put providers and insurers on notice that ignoring cybersecurity risks could come with a hefty price tag.

The nation's second-largest insurer will pay HHS' Office for Civil Rights $16 million over a 2015 data breach that affected almost 79 million people, the largest data breach ever reported to the agency.

"The security risk analysis is not a check-the-box activity," said Beth Pitman, counsel for law firm Waller Lansden Dortch & Davis. "It needs to be updated regularly and incorporated into the business processes of the entity."

Before Anthem, OCR's highest fine was $5.5 million—levied against Hollywood, Fla.-based Memorial Health System in 2017 for a breach that affected more than 115,000 people.

In Anthem's case, hackers broke into the network to steal names, birthdates, Social Security numbers, home addresses and other information of current and former members and employees.

Anthem should have conducted an enterprise-wide risk analysis and put minimum access controls in place to prevent hackers from getting information once they were in the system, according to the OCR.

"It's not just about all the things they didn't do—it's really a public punishment and statement on what OCR is going to do when this occurs," said Bill Fox, chief strategist for global healthcare, life sciences and insurance for Marklogic.

Indeed, in announcing the settlement, OCR Director Robert Severino noted that a "breach of trust" calls for a large penalty.

The action against Anthem should serve as a reminder for organizations to review their cybersecurity strategies and safeguards. Specifically, they must conduct risk assessments—a practice the OCR has long encouraged.

Cyberdefenses are particularly important for insurers, which have considerably more records than a single hospital or even a health system.

The class action and federal settlements haven't made a dent in Anthem's bottom line, according to equity analysts. The insurer's annual profit hit $3.8 billion in 2017. Membership grew to 40.2 million at the end of last year, up 4% from 38.6 million in 2015, signaling the breach didn't affect the ability to attract customers.

The insurer's annual reports filed with the Securities and Exchange Commission have not detailed the full cost of the data breach.

A multistate investigation by insurance departments found that the attack occurred when a user at one of Anthem's subsidiaries opened a phishing email with malicious content, allowing hackers to gain remote access to the computer and Anthem's data warehouse.

The results of that investigation, released in 2017, concluded that the hacker likely worked on behalf of a foreign government; some reports have linked the attack to China.

Anthem paid $260 million for security improvements and remedial actions in response to the breach.

Healthcare breaches are rising, with 277 breaches through the first nine months of 2018, compared with 271 during the same period the year before. Most breaches stemmed from hacking or "IT incidents," according to the OCR.