Anthem, Inc. will pay a record $16 million to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a data breach exposed the electronic protected health information of nearly 79 million people.
The record-breaking settlement agreement with the health insurance company was announced by OCR on Monday, Oct. 15. The settlement stems from a security incident that occurred in Jan. 2015, when Anthem discovered hackers gained access to its IT system through an undetected, continuous and targeted cyber attack.
Hackers were able to infiltrate the company’s system through phishing emails sent to an Anthem subsidiary. An investigation of the incident revealed that between Dec. 2014 and Jan. 2015 hackers stole the electronic protected health information of nearly 79 million people. Information stolen included: names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.
The OCR said anthem failed to implement appropriate measures for detecting hackers. The office also said the company “failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.”
In addition to the $16 million payment, Anthem will also have to develop a corrective action plan to comply with HIPAA Privacy and Security Rules.
“We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” OCR Director Roger Severino said in a statement.