Health insurance provider Anthem has agreed to pay the Department of Health and Human Services’ Office of Civil Rights (OCR) $16 million to settle what HHS called “potential violations” of the Health Insurance Portability and Accountability Act (HIPAA) in connection with an Anthem data breach in late 2014 and early 2015 in which cyber criminals stole data on nearly 79 million individuals including names, Social Security numbers, medical identification numbers, and email addresses, among others.
HHS also said Anthem agreed to undertake a “robust corrective action plan” to comply with HIPAA rules.
Anthem disclosed the cyber attack and data theft to HHS in March 2015 and subsequently determined that attackers gained access to its networks through a spearphishing exploit.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said Roger Severino, director of HHS’ Civil Rights Office, in a statement.
“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” he said.
“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” HHS said.