Anthem, the second-largest health insurer in the US, will pay $16 million to the US Department of Health and Human Services, Office for Civil Rights following a data breach that exposed the electronic protected health information (ePHI) of almost 80 million people. Anthem will also initiate a corrective action plan to include thorough risk analysis and regular reporting.
The government will supervise the plan to ensure HIPAA (Health Insurance Portability and Accountability Act) compliance. This is the largest settlement a company has had to pay the Office for Civil Rights for privacy violations.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.
The set of privacy and security guidelines issued by HIPAA to protect patient data is considered an industry standard. Entities such as Anthem that operate with critical health records are required to meet HIPAA standards in terms of physical, network and process security. The investigation by the Office for Civil Rights revealed that Anthem had not taken proper measures to secure health records.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” Severino said.
“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
In 2015 when it occurred, the breach was described by the company’s CEO as a “very sophisticated external cyber attack.” After they infiltrated the company’s IT system through an advanced persistent threat attack, hackers stole both associates’ and members’ personal information, including physical addresses, medical IDs, Social Security numbers and income data. Employment details may have also been exposed. The breach affected customers of Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
Following a lawsuit filed by affected customers last year, Anthem settled for $115 million in compensation to cover lawsuit fees, two years of credit and identity monitoring, as well reimbursing financial damages the victims may have dealt with, for example counterfeit tax returns.
“This was one of the largest cyber hacks of an insurance company's customer data,” said at the time Insurance Commissioner Dave Jones. “Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach. In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government,” Jones added.
The Anthem breach confirms that, no matter how large an enterprise is, it can still fall victim to spearphishing emails. All it took was for one moment of negligence and a malicious email to let hackers into its infrastructure.