Anthem, Inc. has entered into a $16 million settlement with the U.S. Department of Health and Human Services for alleged violations of HIPAA. The settlement results from a series of cyberattacks that lead to a data breach of the health information of approximately 71 million people.
Anthem is one of the largest health benefits organizations in the United States. In March 2015, it filed a breach report with HHS identifying an incident discovered on January 29, 2015. Anthem determined that cyber-attackers gained access to their IT systems through an undetected and targeted cyber attack. The attackers entered the Anthem system through spear phishing emails when an employee responded to the fraudulent email. The attackers stole the information of 79 million including name, social security number, address, date of birth, and email address.
HHS determined that Anthem did not conduct an enterprise-wide risk analysis and did not have sufficient procedures to review information and system activity. It also determined that Anthem failed to identify and respond to suspected or known security incidents and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive electronic health information.
In addition to the $16 million settlement, Anthem must undergo a corrective action plan to comply with HIPAA.
