Anthem pays record $16M settlement to HHS for 2015 data breach

Anthem headquarters
Anthem has agreed to pay $16 million to OCR following an investigation into its 2015 data breach. (Anthem)

Anthem has agreed to pay the Department of Health and Human Services (HHS) $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.

It's a record-setting settlement from the Office for Civil Rights (OCR), the HHS agency tasked with enforcing HIPAA. It's nearly three times the agency's previous highest settlement of $5.55 million paid by Advocate Health Care in 2016.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”

Conference

13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

"We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR," he added.

RELATED: Anthem agrees to $115M settlement over 2015 data breach

An investigation by OCR found that the insurance giant failed to conduct an enterprisewide risk analysis, regularly review system activity or identify and respond to a known threat.

OCR also determined that Anthem failed to implement the minimum security controls to prevent hackers from accessing sensitive patient information. The attack, which began as early as Feb. 18, 2014, wasn't discovered by Anthem until Jan. 29, 2015, but most of the information was stolen between Dec. 2, 2014 and Jan. 27, 2015.

Anthem has also agreed to take "substantial corrective action," according to OCR. As outlined its corrective action plan with the agency, Anthem must conduct a risk analysis, review its policies and procedures, provide annual reports to HHS for a two-year period and notify HHS of any reportable events involving employee noncompliance.

Last year, the insurer agreed to pay $115 million to settle a class-action lawsuit from members affected by the breach.

Suggested Articles

The FTC is suing health IT company Surescripts, accusing the company of employing illegal vertical and horizontal restraints in order to maintain its…

Boston-based Athenahealth is laying off a portion of its workforce to “decrease bureaucracy and consolidate capabilities" as part of a reorganization.

Ohio’s attorney general is continuing his war on PBMs, this time by proposing a multi-step plan to improve transparency and lower drug costs.