Anthem fined $16M for 2015 breach

Anthem has been hit with a $16 million fine from the federal government as part of a settlement from its massive January 2015 breach.

That incident was a result of a cyber attack that enabled hackers to access the electronic protected health information of nearly 79 million individuals. Anthem reported that the attackers gained access to data that included patient names, Social Security numbers, member identification numbers, addresses, dates of birth, email addresses and employment information.

The fine was announced late Monday by the Office for Civil Rights of the Department of Health and Human Services, which typically enforces violations of HIPAA laws. The monetary penalty against the health insurer is nearly three times the size of what had been the previous record fine by OCR, which was a $5.55 million penalty for Advocate Health Care Network in 2016.

In 2015, Anthem learned hackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

Also See: Why OCR is varying its responses to breach events

In an announcement from the Office for Civil Rights, Director Roger Severino said the largest breach in U.S. history fully merited the largest HIPAA settlement, which includes the fine and a substantial corrective action plan. “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” Serverino noted.

DI-AnthemBlueCross_05012017
Signage is displayed on the exterior of an Anthem Inc. Blue Cross Blue Shield office building in Wallingford, Connecticut, U.S., on Tuesday, Nov. 22, 2016. Anthem Inc.'s proposed $48 billion merger with Cigna Corp. could give the insurer the power to raise prices for employers both in the 14 states where it does business, as well as across the country, according to a witness in the U.S. government's lawsuit to block the deal. Photographer: Michael Nagle/bloomberg

OCR’s investigation of the Anthem breach found the insurer failed to conduct an enterprisewide risk analysis, did not regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber attackers from accessing the protected health information.

The resolution agreement and corrective action plan for Anthem is available here.

For reprint and licensing requests for this article, click here.