Cyberattacks compromised the protected health information of 79 million people.
Anthem, one of the nation’s largest health insurers, has agreed to pony up $16 million for allowing several cyberattacks to compromise the protected health information of almost 79 million people.
The data breach remains the largest to ever strike the American healthcare system, according to the U.S. Department of Health and Human Services (HHS), which announced the agreement. The department’s Office for Civil Rights (OCR) will receive Anthem’s payment, which is the largest such settlement ever reached, by some $10 million.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement.
An independent licensee of the Blue Cross and Blue Shield Association, Anthem provides health insurance coverage to one in eight U.S. residents, according to HHS. To protect those patients going forward, Anthem has also agreed to institute a corrective action plan.
The episode began in December 2014, when hackers used spear phishing emails to gain access to Anthem’s system, according to OCR. Cyberattackers then stole the protected health information — including medical identification numbers, Social Security numbers and other sensitive data — of nearly 79 million people, through Jan. 27, 2015.
Anthem learned of the “undetected, continuous and targeted” attack two days later and determined that hackers had intended to steal data. The insurer filed the breach report with OCR in mid-March.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” Severino added. “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
OCR investigators also found that Anthem did not perform an enterprise-wide risk analysis, lacked proper protocols to view system activity, failed to pinpoint or react to security incidents and did not install “adequate minimum access controls” that might have barred hackers from retrieving protected health information. These problems had existed since at least February 2014, according to OCR.
The sweeping data breach has already spawned a class-action lawsuit that resulted in a $115 million settlement.
Get the best insights in healthcare analytics directly to your inbox.