Anthem has agreed to pay the Department of Health and Human Services (HHS) $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.
It's a record-setting settlement from the Office for Civil Rights (OCR), the HHS agency tasked with enforcing HIPAA. It's nearly three times the agency's previous highest settlement of $5.55 million paid by Advocate Health Care in 2016.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
"We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR," he added.
An investigation by OCR found that the insurance giant failed to conduct an enterprisewide risk analysis, regularly review system activity or identify and respond to a known threat.
OCR also determined that Anthem failed to implement the minimum security controls to prevent hackers from accessing sensitive patient information. The attack, which began as early as Feb. 18, 2014, wasn't discovered by Anthem until Jan. 29, 2015, but most of the information was stolen between Dec. 2, 2014 and Jan. 27, 2015.
Anthem has also agreed to take "substantial corrective action," according to OCR. As outlined its corrective action plan with the agency, Anthem must conduct a risk analysis, review its policies and procedures, provide annual reports to HHS for a two-year period and notify HHS of any reportable events involving employee noncompliance.
Last year, the insurer agreed to pay $115 million to settle a class-action lawsuit from members affected by the breach.