More recently, on December 2, 2014, the OCR investigated a
cybersecurity incident involving Anchorage Community Mental Health
Services (“ACMHS”)—a nonprofit community behavior health provider.110
Like WellPoint, the investigation started when ACMHS disclosed to the
OCR a breach of unsecured e-PHI affecting 2,743 individuals.111 The breach
was caused by malware that compromised the security of ACMHS’
information technology resources.112 According to the OCR, ACMHS failed
to conduct an “accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality integrity, and availability of e-PHI” in
violation of the HIPAA Security Rule.113 Further, the OCR alleged ACMHS
violated the HIPAA Security Rule by failing to “implement policies and
procedures requiring implementation of security measures sufficient to
reduce risks and vulnerabilities to its e-PHI to a reasonable and appropriate
Finally, the OCR noted that ACMHS failed to implement “technical
security measures to guard against unauthorized access to e-PHI that is
transmitted over an electronic communications network. . .by failing to
ensure that firewalls were in place with threat identification monitoring of
inbound and outbound traffic and that information technology resources were
both supported and regularly updated with available patches.”115 This final
allegation is notable because it directly speaks to the vulnerabilities outlined
in the SANS report; namely, an ongoing system breach that can occur when
there is no monitoring to determine whether internet traffic accessing the
network is malicious or legitimate.
ACMHS ultimately entered into a resolution agreement with HHS and
agreed to pay $150,000 and adopt an onerous corrective action plan (“CAP”;
note that a CAP was not required under the WellPoint resolution agreement).
The CAP, which is similar to a corporate integrity agreement, is effective for
two years and includes e-PHI policies and procedures revisions, signed
attestations from workforce members that have read, understand and shall
abide by the policies and procedures, security awareness trainings, and
annual security risk assessment, commitments to investigate suspected
breaches, and obligations to report certain non-compliance.
In addition, ACMHS must submit annual reports to HHS in which the
110. See Resolution Agreement Between HHS & Anchorage Community Mental Health
Services, Inc., HHS.GOV (Dec. 2, 2014),
111. Id. at 1.
114. Id. at 1–2.
115. Id. at 2.