Anthem pays record $16M settlement to HHS for 2015 data breach

Anthem headquarters
Anthem has agreed to pay $16 million to OCR following an investigation into its 2015 data breach. (Anthem)

Anthem has agreed to pay the Department of Health and Human Services (HHS) $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.

It's a record-setting settlement from the Office for Civil Rights (OCR), the HHS agency tasked with enforcing HIPAA. It's nearly three times the agency's previous highest settlement of $5.55 million paid by Advocate Health Care in 2016.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

"We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR," he added.

RELATED: Anthem agrees to $115M settlement over 2015 data breach

An investigation by OCR found that the insurance giant failed to conduct an enterprisewide risk analysis, regularly review system activity or identify and respond to a known threat.

OCR also determined that Anthem failed to implement the minimum security controls to prevent hackers from accessing sensitive patient information. The attack, which began as early as Feb. 18, 2014, wasn't discovered by Anthem until Jan. 29, 2015, but most of the information was stolen between Dec. 2, 2014 and Jan. 27, 2015.

Anthem has also agreed to take "substantial corrective action," according to OCR. As outlined its corrective action plan with the agency, Anthem must conduct a risk analysis, review its policies and procedures, provide annual reports to HHS for a two-year period and notify HHS of any reportable events involving employee noncompliance.

Last year, the insurer agreed to pay $115 million to settle a class-action lawsuit from members affected by the breach.

Suggested Articles

CMS issued a proposed rule and a final rule aimed at increasing price transparency from hospitals and insurers.

Children’s National Health System announced a formal partnership with Virginia Tech, including the construction of a biomedical research facility.

Signups on HealthCare.gov declined in the second week of Affordable Care Act open enrollment amid technical problems on the website.