Payers

Anthem agrees to record-breaking $16M HIPAA violation settlement

The settlement stems from a cybersecurity attack in 2015 that revealed the personal health information of nearly 79 million people in the single largest healthcare data breach in U.S. history.

Health insurance giant Anthem has agreed to pay the U.S. Department of Health and Human Services a $16 million settlement stemming from a cybersecurity attack in 2015 that revealed the personal health information of nearly 79 million people in the single largest healthcare data breach in U.S. history.

The breach exposed electronic protected health information including names, social security numbers, medical ID numbers and employment information that Anthem maintained for its affiliated health plans and other covered entity health plans.

The plans affected by the attack included Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.

Hackers gained entry to Anthem’s system through phishing emails sent to an Anthem subsidiary and siphoned the information undetected for a period of nearly two months.

The scale and nature of the attack immediately raised concerns about the current methodology for encrypting and storing patient information. Ironically enough, reporting came out later that the Chinese hackers suspected of being behind the attack were using the information to improve their own healthcare system.

The $16 million settlement paid to the HHS Office of Civil Rights eclipses the previous record by more than $10 million.

The OCR’s investigation found that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity and failed to identify and respond to security incidents. As part of the agreement to OCR, Anthem is required to undertake a corrective action plan to secure patient information as required by HIPAA.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” OCR Director Roger Severino said in a statement.

“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

The payment to the government comes on top of a $115 million settlement for a class action suit brought by those affected by the data breach.

On top of that settlement, Anthem is required to provide data breach victims at least two years of credit monitoring and provide cash compensation for individuals who already enrolled in credit monitoring.

The health insurer is also required to cover out-of-pocket expenses victims have due to the data breach.

Picture: Getty Images, weerapatkiatdumrong