After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency.

Anthem Settlement

In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after self-reporting a series of cyberattacks that resulted in the largest health information data breach in U.S. history. Notably, the breach included electronic protected health information (ePHI) that Anthem maintained as a business associate acting on behalf of its affiliated health plans, making this week’s enforcement action by OCR one of the few involving a business associate.

In March of 2015, Anthem filed a breach report with OCR informing the agency of its discovery that cyberattackers had gained access to its information and technology (IT) systems through an undetected continuous and targeted cyberattack for the alleged purpose of extracting data. After filing the report, Anthem later discovered that the cyberattackers had infiltrated its IT systems through a phishing scam sent to one of its subsidiaries that was initiated by at least one employee responding to a malicious e-mail.


Continue Reading

A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health