The 2015 breach exposed the protected health information of close to 79 million people by affecting electronic protected health information that Anthem maintained for its affiliated health plans and other covered entity health plans.
The largest previous settlement was $5.5 million paid to the OCR in 2016.
WHY THIS MATTERS
The OCR holds Anthem responsible for the breach that investigators learned was done by a hacker acting on behalf of a foreign government.
OCR Director Roger Severino said large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion.
Anthem, an independent licensee of the Blue Cross and Blue Shield Association, is among the largest, providing coverage to one in eight Americans through its affiliated health plans.
The OCR investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers, beginning as early as February 18, 2014.
In addition to the $16 million settlement, Anthem must undertake a robust corrective action plan to comply with the HIPAA rules.
THE TREND
Hackers gained access to Anthem's system through phishing emails, a common method for cyber attacks. The phishing emails were sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks, the OCR said.
On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, it discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyber attack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.
OCR's investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the electronic information of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
ON THE RECORD
"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," said OCR Director Roger Severino. "Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information."