Insurer Anthem will pay record $16M for massive data breach

SHARE Insurer Anthem will pay record $16M for massive data breach
anthem_e1539644533159.jpg

Federal officials say Anthem, the nation’s second-largest health insurer, will pay the government a record $16 million to settle potential violations of privacy requirements in a 2015 case that still stands the biggest health care hack in U.S. history. | AP file photo

WASHINGTON — The nation’s second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs — was exposed in the cyberattack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach, officials said.

“When you have large breaches it erodes people’s confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment,” said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that “hackers are out there always and large health care entities in particular are targets,” he added.

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

In a statement Monday, Anthem said it’s not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.

“Anthem takes the security of its data and the personal information of consumers very seriously,” the statement said. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.

HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement “adequate minimum access controls” to shut down intrusions from as early as February 2014.

The Latest
Sleep joins seven modifiable components — maintaining a healthy weight, not smoking, being physically active, eating a healthy diet and controlling blood pressure, cholesterol and blood sugar — as the keys to ideal cardiovascular health.
With the NBA’s free agency period set to begin at 5 p.m. on Thursday, the Bulls have been very public about their desire to keep LaVine in Chicago.
Both the officer and the suspect were seriously wounded. The shooting June 5 was the third time a law enforcement officer in Chicago had been hit by gunfire in a span of days.
It’s unclear if Griffin will continue his heavy spending in Illinois politics after he and his Citadel hedge fund have packed up and left for Miami. But what was obvious was that his latest big bet on elections in this state was a big failure, up and down the ballot.
Prosecutors are seeking at least 25 years in prison for R. Kelly, who was convicted of sex trafficking last year in New York.