Healthcare insurance company handed biggest-ever HIPAA penalty for 2015 cyber-attack

US insurer Anthem is set to pay the government $16 million in fines after suffering the biggest healthcare breach in the country’s history.

The settlement is the largest on record under the Health Insurance Portability and Accountability Act (HIPAA), though Anthem still claims no wrongdoing.

The privacy violation fine relates to a cyber-attack between December 2014 and January 2015, which resulted in the personally identifiable information of 79 million people being exposed.

Names, dates of birth, and Social Security numbers were among the details stolen in the hack.

A statement from the Department of Health and Human Services blamed Anthem’s “inappropriate” security measures.

But a spokesperson from the insurance company said it does not accept any wrongdoing.

The statement read: “Importantly, this agreement reached with OCR [Office for Civil Rights] specifically states that this is not ‘an admission, concession, evidence’ that Anthem acted improperly.”

Anthem reported the breach to authorities in March 2015. It concluded that a single employee responded to a malicious email sent via a spear-phishing campaign, giving hackers access to company systems.

OCR claims that Anthem failed to identify or respond to security attacks and did not implement adequate minimum access controls.

Director Roger Severino said: “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information.”

The insurance firm has agreed to pay the $16 million, and also has agreed to review its practices to comply with HIPAA rules.

A statement posted on the company website reads: “Anthem has reached a settlement to completely resolve the multidistrict class action litigation brought against Anthem and other defendants relating to the 2015 cyber-attack.

“Under the settlement, which was preliminarily approved by the court on August 25, 2017, Anthem does not admit any wrongdoing or acknowledge that any individuals were harmed as a result of the cyber-attack.

“Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional benefits to individuals whose data was impacted in the cyber-attack.”

This latest fine is another headache for the healthcare company, which agreed last year to pay $115 million to victims in a class action lawsuit.

Of this figure, more than $37 million was allocated to legal fees, $17 million was paid out to Experian, for handling the credit monitoring for victims, and an unknown figure was assigned to government taxes.

Individual victims will have to submit claims for a share of the settlement, not exceeding $15 million.

Lost records

Anthem has now overtaken Memorial Healthcare Systems as the company paying the biggest HIPAA fine to date.

Back in February 2017, Memorial was charged $5.5 million when a former employee was able to access the records of 115,143 patients due to their user account not having been terminated.

In August 2016, Advocate Health was handed with a $5.5 million penalty for “multiple violations” of HIPAA, including the compromise of four million patients’ records.

And in June this year, The University of Texas MD Anderson Cancer Center was fined $4.35 million for three separate data breaches, after an unencrypted laptop and two unencrypted USB drives were stolen.