The nation’s second-largest health insurer will pay the government a record $16 million due to a data breach and cyberattack that exposed the customer data of nearly 80 million people.
The settlement between Anthem Insurance and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a press release. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” he added.
The breach, discovered by the company in 2015, exposed names, birthdates, Social Security numbers and medical IDs. In 2017, it was reported that an extensive nationwide investigation into the breach is confident that a foreign government likely contracted a hacker to launch the attack on the insurance giant.
“In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government,” Dave Jones, a state insurance commissioner from California, said in a statement.
The investigation also stated that the attack began back in February 2014, though it wasn’t discovered until January 2015. One user at an Anthem subsidiary opened a phishing email that eventually gave the hacker access to Anthem’s entire data warehouse.
In a statement, Anthem said it’s not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.
“Anthem takes the security of its data and the personal information of consumers very seriously,” the statement said, according to the Associated Press. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”