The $16 million settlement stems from a series of attacks in 2014 and 2015 that potentially exposed the electronic health information of nearly 80 million people.
Anthem Inc. will pay the federal government $16 million to settle the largest health data breach in U.S. history, the Department of Health and Human Services announced.
The settlement stems from a series of cyberattacks on the Blue Cross Blue Shield carrier that occurred between December 2014 and January 2015 that exposed the electronic health information of 79 million people, HHS's Office for Civil Rights said.
The $16 million settlement is the largest ever under the Health Insurance Portability and Accountability Act.
"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," OCR Director Roger Severino said in a media release.
"Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information," Severino said.
Anthem issued a statement saying that it cooperated with the OCR investigation, and "takes the security of its data and the personal information of consumers very seriously."
"Importantly, the agreement reached with OCR specifically states that this is not 'an admission, concession, evidence' that Anthem acted improperly," Anthem said.
Indianapolis-based Anthem discovered the breach in January, 2015 and notified HHS in March 2015. The health insurer discovered that hackers had accessed their IT system via an undetected continuous and targeted cyberattack designed to steal personal health data.
After filing their breach report, Anthem discovered the hackers had breached their system through spear phishing emails sent to an Anthem subsidiary that came after at least one employee responded to the malicious email and opened the door to further attacks.
OCR determined that between December 2, 2014 and January 27, 2015, the hackers stole electronic health information from about 79 million people, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
OCR said Anthem also failed to conduct an enterprise-wide risk analysis, had insufficient procedures to review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyberattacks that began as early as Feb. 18, 2014.
"We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR," Severino said.
Anthem said that when it learned of the breach, its first priority was to ensure that its systems were secure, "which we did by engaging a world-class security organization and the FBI."
"Additionally, we provided initial notice within 4 business days, and credit protections within 11 business days. We are not aware of any fraud or identity theft that has occurred as a result of this incident, Anthem said.
Anthem already agreed to pay a record-setting $115 million to settle a class-action lawsuit filed over a 2015 breach.
In addition to the $16 million settlement, Anthem agreed to undertake corrective actions to comply with HIPAA Rules.
Before this week's settlement, the largest HIPAA-related settlement came in 2016, when Chicago-based Advocate Health Care Network paid $5.55 million after multiple potential violations that jeopardized the health records of more than 4 million patients.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history.”
Roger Severino, director of HHS's Office of Civil Rights
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.
Anthem says the settlement is not an admission or evidence that it acted improperly.
The Blue Cross Blue Shield carrier settled a $115 million class-action suit for the breach in 2017.