Anthem has agreed to pay $16 million to the HHS Office for Civil Rights (OCR) to settle the largest health data breach in history after a series of targeted cyberattacks in 2015 exposed the electronic protected health information (ePHI) of almost 79 million people.
A separate $115 million settlement approved in August will pay for four years of credit monitoring and all other claims, costs and fees for affected individuals. Any remaining money will go towards paying valid claims for out-of-pocket expenses exceeding the original $15 million reserve, extending credit monitoring and fraud resolution services beyond the four year term and, finally, to charity.
The settlement, preliminarily approved by the court in August of 2017, requires Anthem to undertake a corrective action plan to get back in compliance with HIPAA rules. However, Anthem does not admit any wrongdoing, or acknowledge that any beneficiaries were harmed as a result of the attack.
The settlement highlights American healthcare's dominance in one area it would rather not: security breaches.
In the first half of this year, healthcare led all industries in terms of public data breaches. The largest, at health referral service 211 LA Country, exposed 3.5 million records through accidental loss.
Multiply that by roughly 23 and you get the severity of 2015’s Anthem breach. As one of the nation’s largest health benefits companies covering one in every eight Americans, the massive payer was a huge mark for hackers looking to get their hands on a wealth of health data.
The cyberattack, called an “advanced persistent threat attack,” allowed the perpetrators to gain undetected access to Anthem’s IT system and, between Dec. 2, 2014 and Jan. 27, 2015, steal the health data of approximately 79 million individuals.
Compromised data included names, Social Security numbers, medical identification numbers, addresses, birth dates, email addresses and employment information, according to the OCR investigation.
Anthem filed a breach report with OCR in March of 2015, some two months after they discovered the attack. After filing, the company discovered the hackers had infiltrated their data infrastructure through phishing emails, sent to an Anthem subsidiary after at least one employee responded to a fraudulent email and threw open the door to the hackers.
Along with the vast scope of the attack, the OCR investigation disclosed that Anthem failed to undertake basic security measures to protect patient ePHI such as conducting an enterprise-wide risk analysis or regularly reviewing information system activity.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR director Roger Severino said in a statement. “Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
The $16 million settlement trumps the previous high of $5.55 million paid to OCR by Advocate Health Care in 2016.
Correction: A previous version of this article mislabeled the $115 million class action settlement as the OCR fine.