Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History October 15, 2018


Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 15, 2018

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at

HIPAA Fine for Lack of Timely Breach Notification

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement of 2017 based on the untimely reporting of a breach of unsecured protected health information (PHI).  Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. Presence Health is one of the largest health care networks serving Illinois and consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence Health also has multiple physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services. With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentivize breach reporting altogether.

On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.  OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The Resolution Agreement and Corrective Action Plan is available for detail review below:


OCR’s guidance on breach notification may be found at

Learn more on how to comply with HIPAA privacy, security and breach notification rules at

HIPAA Violation Fines: Unauthorized Filming Results in $2.2 Million Settlement

New York Presbyterian Hospital has reached a settlement with the Office for Civil Rights (OCR) to pay $2.2 million HIPAA violation fine for the unauthorized disclosure of two patients Protected Health Information (PHI). The PHI was released to film crews and staff during the filming of an ABC television series called “NY MED.”  This was done without authorization from the patients. OCR discovered that North Presbyterian Hospital (NYP) allowed the ABC film crew to record someone dying, and another person who was in significant distress. This took place even after medical professionals urged the ABC film crew to stop.



“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”By allowing individuals who were  receiving medical attention to be filmed without their knowledge or authorization by members of ABC filming crew, NYP’S blatantly violated the HIPAA rules. Rules that are specifically made in order to stop the disclosure of an individual’s PHI.”


Along with the $2.2 million dollar settlement New York Presbyterian Hospital is required to:

  • Develop and revise all policies and procedures to comply with the Federal Standards that comply with privacy and security of PHI
  • A process for evaluating and approving authorizations that request the disclosure of PHI
  • Requirements that all photos, video, and audio recordings conducted are actively monitored by an appropriate employee for compliance with the Privacy Rule
  • All members of NYP’s workforce are to receive training on the policies and procedures in order to comply with the Privacy Rule

This is the sixth HIPAA violation fine in 2016 by HHS (Read the previous resolution agreements here)

What is the specific HIPAA violation?

New York Presbyterian Hospital violated the HIPAA Privacy Rule by allowing the film crew to record both video and audio content of patients with out the proper authorization. OCR also found that NYP failed to safeguard PHI by allowing the ABC film crew virtually total access to the healthcare facility, which in return created an environment where PHI could not be properly protected from unauthorized disclosure to the ABC film crew and staff.


HIPAA Violations and Corrective Action Plan (CAP)

New York Presbyterian Hospital has agreed to pay HHS $2,200,000 (Resolution Amount) in order to settle potential violations of the HIPAA Rules. This settlement also includes a comprehensive corrective action plan (CAP) that includes two years of monitoring in order to ensure HIPAA compliance. This action plan will include training on the policies and procedures in order to fully comply with the Privacy Rule, along with requirements that all photos, video, and audio recording conducted be actively monitored by an appropriate employee for compliance with the Privacy Rule.


What could have been done differently?

Before filming any individuals receiving urgent or non-urgent medical care, proper authorization needs to be in place. HIPAA Rules are specifically designed to prohibit the disclosure of individual’s PHI which includes, images, audio, and video recordings, in circumstances such as these. ABC’s film crew technically did not do anything wrong. It is New York Presbyterian Hospital’s responsibility to protect and safeguard its patient’s PHI. Simply getting permission from the patients would have been sufficient in allowing ABC to film. However a covered entity, including a health care provider, may not use or disclose PHI, except either:

(1) As the HIPAA Privacy Rule permits or requires

(2) As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.


To learn more about how EHR 2.0 can help reduce HIPAA violation by setting up policies and procedures that will ensure your healthcare practice is and stays HIPAA compliant, please visit us at

OCR Launches Phase 2 of HIPAA Audit Program

Optometry HIPAA data analysis

HIPAA Phase 2 audiit is a part of the continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules by the HHS Office for Civil Rights (OCR). Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews. These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will  review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.   OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.

The audit program is developing on pace and OCR is committed to transparency about the process. OCR will post updated audit protocols on its website closer to conducting the 2016 audits.  The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

EHR 2.0 offers a secure and user-friendly online HIPAA compliance assessment toolkit for small medical practices with limited resources and time, to identify gap areas, prioritize solutions, and demonstrate compliance with federal regulations.

Demo of our Do-It-Yourself Online HIPAA Compliance Assessment Toolkit with HITECH

To understand more on the latest HIPAA phase 2 audits, listen to our 50mins webinar on “How to survive a HIPAA audit by HHS/OCR”

Checklist: Safe Disposal of Patient Data

a person working on security-awareness

A covered entity or business associate must remain in accordance with HIPAA  164.310d(1), Physical Safeguards – security procedures need to include: “Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”

As you could interpret from these high level HIPAA data disposal requirement standards, HIPAA laws do not require specific steps, being vague as often the case and instructing rather to use “reasonable” safeguards when removing data from electronic devices. In order for healthcare organizations to have appropriate controls on patient data during disposal, they must properly safeguard used media.


Though the standard for disposing electronic patient data is defined vaguely, recent reported incidents and fines for insecure data disposal have increased. Out of 1113 incidents reported on HHS breach report, 46 of them are attributed to improper disposal of paper-based or electronic devices which contained PHI. Read more about the recent breach reports published by HHS here:

Arguably the most important step in adhering to this HIPAA law requirement is determining electronic data storage devices that need to be disposed securely.  Any device requiring electrical power to be capable of storing and/or processing data, such as those containing volatile memory and/or magnetic or optical storage, should be identified as such. This includes but is not limited to personal computers / hard drives, servers, mainframes, Personal Digital Assistants (PDAs), routers, firewalls, switches, tapes, diskettes, CDs, DVDs, cell phones, smart phones, tablets, printers with on board memory, multifunction devices, digital cameras, flash memory cards or SD cards, and Universal Serial Bus (USB) data storage devices.

Though inventorying all the above mentioned devices in a huge hospital setup is very complex, practically speaking, any electronic devices where Protected Health Information (PHI) data is stored need to be tracked. You could consider either using a simple inventory log or more sophisticated online database to keep track of the inventory of devices.

The security categorization of the patient data, along with internal environmental factors, should drive the decisions on how to deal with the media devices. Again, the key is to first think in terms of patient data confidentiality, then by media type.


There are several options available for disposal methods with different types of data, Health care organizations need to determine which method is preferable or needed, based on the confidentiality requirement of the data being disposed.  Some of the most widely used methods are:

  1. a) Overwriting: Overwriting of data means replacing previously stored data with a predetermined pattern of meaningless information. Overwriting is the more cost effective option to securely dispose data, as it allows the reuse of resources when possible.
  2. b) Physical Destruction: Physical destruction includes but is not limited to disintegration, incineration, pulverization, and melting of the devices. Physical destruction needs to ensure that any possible restoration of the data from the device is not restorable. However, incineration must take place only in a licensed facility. Some of the approaches listed here involve outside professionals.
  3. c) Cryptographic Sanitizing: Sanitization by cryptography works by first encrypting all data as it is written to the devices. The only way to read or recover data protected in this manner is to use a valid decryption key. Instant and thorough sanitizing occurs when the decryption key is destroyed.
  4. d) Degaussing: Degaussing is a process whereby the magnetic media is thoroughly disrupted. Stored data in the electronic devices seldom can be used after degaussing, and the devices themselves are often left unusable.

Our advice and recommendations of checklist items to cover to securely dispose patient data:

  1.    Consideration of legal record retention requirements, along with company needs, prior to disposal. In most cases, at least 6-year worth of data is to be maintained before destroying.  This requirement might also vary state-to-state.
  2.    Keep the data in a secure area prior to disposal.
  3.    Maintain records of devices where data was securely sanitized. This would include certificate, pictures, or other form of acknowledgement.
  4.    Training of all your staff on how direct disposal and deleting the data directly from the system is not sufficient. This could be combined with your annual HIPAA training of staff.
  5.    Identify the best possible method for securely disposing data discussed in the above categories.
  6.    Ensure backup copies of data are kept in a secure place, in case you ever need to refer to said data.

Examples of specific products / options available

For the list of software available to safely destruct data please click here >>

In addition, attend our complimentary webinar scheduled on 9/24. Register here >>

Additional resources:

Does my healthcare practice need to be HIPAA/HITECH certified?

cybersecurity-awareness images

We mentioned earlier in one of our blog posts that we would get back to you about the HIPAA/HITECH “Certification” question that lot of  the healthcare practices are asking about …  Certification by a third-party is not required for Covered Entities and Business Associates unlike PCI or ISO certification requirements. HIPAA/HITECH “certification” is not mandated in any way and no one is authorized to provide HIPAA/HITECH certification per se. Rather Covered Entities and Business Associates need to be in compliant with the new omnibus HIPAA Privacy, Security and Breach Notification rules. This is very clearly stated in HHS website: “A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.” If you want to learn more about HHS’s position on getting HIPAA certification please go through the following links:

The above discussion clearly concludes there’s no single certifying authority on HIPAA/HITECH rules. The assessment of HIPAA rules in your practice and implementation of required remediation could be technically performed by anyone (with no prior qualification). However, the purpose and intent of evaluation is two fold:

1) To genuinely secure patient data and implement required processes in place to avoid legal issues

2) To handle HHS Office for Civil Rights(OCR) audit request

In order to handle this HIPAA conundrum, we recommend at least conducting the initial HIPAA/HITECH assessment against the new rules by an externally qualified organization. Use the same methodologies and processes used by the external organization to conduct your periodic assessment for subsequent annual assessments. In addition, if there’re any major scope change in terms of your IT infrastructure, vendor upgrade or new business introduction have the assessment done by an external organization.

Only experience and industry knowledge will help apply the for your practice successfully.

There are quite a few organizations providing training and certification to acquire HIPAA expertise.  Firms can benefit from their workers completing one or more of the established credentials, including:

1) Healthcare Information Security and Privacy Practiioner  by ISC2

2) AHIMA certification page (,

3) CompTIA – (

No matter how you do your assessment, at least ensure the following 3 aspects of your HIPAA/HITECH rules::

1) Conducting a thorough security risk assessment of all your technological assets

2) Updating your information security policy document

3) Providing awareness training to your staff

$800,000 HIPAA Settlement in Medical Records Dumping Case

Parkview Health System, Inc. has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).  Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program.  Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio.

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule.  In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

As a covered entity under the HIPAA Privacy Rule, Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

“All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said Christina Heide, acting deputy director of health information privacy at OCR.  “It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”

Parkview cooperated with OCR throughout its investigation. In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

To learn more about EHR 2.0 HIPAA Privacy, Security and Breach notification requirements, visit our service page:


The Resolution Agreement can be found here:

Parkview HIPAA Settlement – Resolution Agreement from EHR 2.0

HIPAA compliance toolkit by HHS for Healthcare providers

data analysis free tools

A new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations is now available from HHS. The SRA tool is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The application, available for downloading at also produces a report that can be provided to auditors.

HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems.  Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.

Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program.

“Protecting patients’ protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations,” said Karen DeSalvo, M.D., national coordinator for health information technology. “The SRA tool and its additional resources have been designed to help health care providers conduct a risk assessment to support better security for patient health data.”

“We are pleased to have collaborated with the ONC on this project,” said Susan McAndrew, deputy director of OCR’s Division of Health Information Privacy. “We believe this tool will greatly assist providers in performing a risk assessment to meet their obligations under the HIPAA Security Rule.”

The SRA tool’s website contains a User Guide and Tutorial video to help providers begin using the tool. Videos on risk analysis and contingency planning are available at the website to provide further context.

The tool is available for both Windows operating systems and iOS iPads. Download the Windows version at The iOS iPad version is available from the Apple App Store (search under “HHS SRA tool”).

The ONC is committed to improving the SRA tool in future update cycles, and is requesting that users provide feedback.  Public comments on the SRA tool will be accepted at until June 2, 2014.

10 Myths and Facts about HIPAA and Meaningful Security Risk Analysis

Conducting  a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. The following areas addresses some of the common myths about conducting a risk analysis, and provides facts and tips that can help you structure your risk analysis process.


Myth 1: The security risk analysis is optional for small providers

Fact: False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

Myth 2:  Simply installing a certified EHR fulfills the security risk analysis MU requirement


False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Myth 3: My EHR vendor took care of everything I need to do about privacy and security

Fact:  False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

Myth 4:  I have to outsource the security risk analysis

Fact: False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Myth 5:  A checklist will suffice for the risk analysis requirement

Fact: False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

Myth 6:  There is a specific risk analysis method that I must follow

Fact:  False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

Myth 7:  My security risk analysis only needs to look at my EHR

Fact:  False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.  Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

Myth 8:  I only need to do a risk analysis once

Fact:  False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Myth 9:  Before I attest for an EHR incentive program, I must fully mitigate all risks

Fact: False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) according to the timeline established in the provider’s risk management process, not the date the provider chooses to submit meaningful use attestation. The timeline needs to meet the requirements under 45 CFR 164.308(a)(1), including the requirement to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [45 CFR ]§164.306(a).”

Myth 10:  Each year, I’ll have to completely redo my security risk analysis

Fact:  False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of  participation in the program.

Source: CMS

YouTube Best Practices and HIPAA Compliance

Optometry HIPAA data analysis

Video has become central to our lives, both business and personal. The use of video platforms, notably YouTube, can have important business implications for a healthcare system as well as potential HIPAA violation issues if used incorrectly. In addition, being aware of patient use of video (and public posting thereof) can present unintentional HIPAA consequences. In this session we’ll review the best practices for video use and review potential pitfalls.

Join our webinar to learn about Youtube best practices and HIPAA compliance.


Time: Noon to 1:00 p.m. EST

Price: $99

Our 60-minute vendor-neutral educational session on social media trends, best


practices, and compliance for health care professionals will cover:

  • Video pervasiveness
  • Use for education, engagement, & branding
  • Best Practices
  • Developing a video strategy
  • HIPAA compliance review
  • Q & A


  • Access to recorded webinar
  • Compliance best practices
  • Compliance training material for staff


Janet M. Kennedy is a social media strategy & community management specialist in LinkedIn, Facebook & Twitter community development, customer engagement and triggering action in support of customers. She is a well-rounded marketing professional with 15+ years experience developing strategic plans that drive traffic and sales utilizing classic off-line and online marketing tools. Strategic marketer in digital and traditional media. View full bio>>