[BreachExchange] Anthem to pay $16M in record data breach settlement

[Destry Winant]

http://www.modernhealthcare.com/article/20181016/NEWS/181019927

Anthem has agreed to pay the federal government $16 million in a
settlement over its 2015 data breach that hit nearly 79 million
people, HHS said Monday.

The agreement is by far the largest settlement reached by HHS' Office
for Civil Rights for a Health Insurance Portability and Accountability
Act breach. Hackers stole the names, birth dates, Social Security
numbers, home addresses and other personal information in the 2015
cyberattack.

As part of the settlement, Anthem agreed to a corrective action plan
where it will conduct a risk analysis and fix any deficiencies. HHS
will oversee Anthem's work.

Office for Civil Rights Director Roger Severino acknowledged that
healthcare companies are attractive targets for hacks, and they're
expected to have adequate cybersecurity defenses.

"The largest health data breach in U.S. history fully merits the
largest HIPAA settlement in history," Severino said in a statement.
"Unfortunately, Anthem failed to implement appropriate measures for
detecting hackers who had gained access to their system to harvest
passwords and steal people's private information."

Anthem did not admit liability for the incident. The insurer on Monday
said it isn't aware of any identity theft stemming from the 2015
attack.

"Anthem takes the security of its data and the personal information of
consumers very seriously," the company said in a statement. "We have
cooperated with (the government) throughout their review and have now
reached a mutually acceptable resolution."

In 2017, Anthem agreed to shell out $115 million to settle a
class-action lawsuit over the breach, the largest data-breach
settlement ever at the time. Anthem also offered class-action members
two years of credit protection—in addition to the two years of
monitoring they already received—and put $15 million aside for
customers' out-of-pocket costs stemming from the breach.