Anthem pays record $16M settlement to HHS for 2015 data breach

Anthem headquarters
Anthem has agreed to pay $16 million to OCR following an investigation into its 2015 data breach. (Anthem)

Anthem has agreed to pay the Department of Health and Human Services (HHS) $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.

It's a record-setting settlement from the Office for Civil Rights (OCR), the HHS agency tasked with enforcing HIPAA. It's nearly three times the agency's previous highest settlement of $5.55 million paid by Advocate Health Care in 2016.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”

Free Webinar

Take Control of Your Escalating Claim Costs through a Comprehensive Pre-payment Hospital Bill Review Solution

Today managing high dollar claim spend is more important than ever for Health Plans, TPAs, Employers, and Reinsurers, and can pose significant financial risks. How can these costs be managed without being a constant financial drain on your company resources? Our combination of the right people and the right technology provides an approach that ensures claims are paid right, the first time. Register Now!

"We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR," he added.

RELATED: Anthem agrees to $115M settlement over 2015 data breach

An investigation by OCR found that the insurance giant failed to conduct an enterprisewide risk analysis, regularly review system activity or identify and respond to a known threat.

OCR also determined that Anthem failed to implement the minimum security controls to prevent hackers from accessing sensitive patient information. The attack, which began as early as Feb. 18, 2014, wasn't discovered by Anthem until Jan. 29, 2015, but most of the information was stolen between Dec. 2, 2014 and Jan. 27, 2015.

Anthem has also agreed to take "substantial corrective action," according to OCR. As outlined its corrective action plan with the agency, Anthem must conduct a risk analysis, review its policies and procedures, provide annual reports to HHS for a two-year period and notify HHS of any reportable events involving employee noncompliance.

Last year, the insurer agreed to pay $115 million to settle a class-action lawsuit from members affected by the breach.

Suggested Articles

CMS is proposed to lower the user fee for ACA exchange insurers and wants to enable the private sector to develop competing signup websites.

JetBlue, Lufthansa, Swiss International Airlines, United Airlines, and Virgin Atlantic will roll out the CommonPass mobile app in December.

With the distribution of a COVID-19 vaccine looming, companies in the pharmaceutical supply chain are working overtime to plan for all contingencies.