The nation's second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.
The personal information of nearly 79 million people—including names, birth dates, Social Security numbers and medical IDs—was exposed in the cyberattack, discovered by the company in 2015.
The settlement between Indianapolis-based Anthem Inc. and the U.S. Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach, officials said.
"When you have large breaches it erodes people's confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment," said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.
Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that "hackers are out there always and large health care entities in particular are targets," he added.
The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.
Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets such as New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.
In a statement Monday, Anthem said it's not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.
"Anthem takes the security of its data and the personal information of consumers very seriously," the statement said. "We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution."
The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.
Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer's systems.
HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprise-wide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents and did not implement "adequate minimum access controls" to shut down intrusions from as early as February 2014.