Anthem will pay HHS $16 million to settle potential HIPAA violations related to cyberattacks that compromised the health information of nearly 79 million people in 2015, HHS said Oct. 15.
The payment is the largest settlement the Office for Civil Rights has seen, eclipsing the previous $5.5 million high the office received in 2016.
"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," said OCR Director Roger Severino. "Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information."
In addition to the settlement, Anthem agreed to take substantial corrective action to ensure HIPAA compliance.
In January 2015, Anthem discovered cyberattackers gained access to the health insurer's IT system through phishing emails sent to an Anthem subsidiary. Between December 2014 and January 2015, cyberattackers stole the ePHI of almost 79 million individuals. Compromised information included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.
In August 2018, a federal district judge in California approved Anthem's separate $115 million settlement to a class-action lawsuit brought by 19.1 million plaintiffs potentially affected by the breach. The approval also marked one of the largest settlements in a consumer data breach case.
More articles on cybersecurity:
It takes healthcare organizations 55 days to detect a breach, survey finds
Bad actor infiltration in the supply chain + lack of security awareness: Moffitt Cancer Center's CISO answers 4 Qs on cybersecurity threats
10 informative Q&As with hospital and health system CISOs