Indianapolis-based Anthem Inc. (NYSE: ANTM) has reached a settlement related to what the U.S. Department of Health and Human Services calls the largest health data breach in U.S. history. The HHS says the company has agreed to pay $16 million and take "substantial corrective action" to settle potential violations of the Health Insurance Portability and Accountability Act.
The settlement is also the largest HIPAA-related payment to the HHS Office for Civil Rights in history. The previous record was $5.5 million paid to the OCR in 2016.
The HHS says the data breach is the result of cyber-attacks that exposed the electronic protected health information of nearly 79 million people, including names, social security numbers, medical identification numbers, addresses, and more. The OCR conducted an investigation of the incident and made several findings saying that Anthem:
- Failed to conduct an enterprise-wide risk analysis
- Had insufficient procedures to regularly review information system activity
- Failed to identify and respond to suspected or known security incidents
- Failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," OCR Director Roger Severino said in a news release. "Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR."
In addition to the $16 million payment, Anthem has agreed to establish a "robust corrective action plan" to comply with HIPAA rules. You can learn more about the case and the settlement by clicking here.