Anthem agrees to pay $16 million in data breach privacy settlement

The insurer will shell out to settle a privacy violations case issued by the US government.
Written by Charlie Osborne, Contributing Writer

Anthem has agreed to pay the US government $16 million to settle potential privacy violations stemming from a 2015 data breach.

The data breach impacted 78.8 million current and former customer records and resulted in the leak of sensitive, personal information belonging to former and active customers three years ago.

Hackers managed to infiltrate a database and covertly steal records containing client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers. The attack took place over a number of weeks before being detected and shut down.

According to the Associated Press, the payout relates to a case between the US health insurer and the Department of Health and Human Services (HHS). To date, this is the largest fine collected in the US over a healthcare-related data breach and potential privacy violations.

See also: Health insurer Anthem hit by hackers, up to 80 million records exposed

The HHS enforces the Health Insurance Portability and Accountability Act (HIPAA), which can be used to pursue settlements when patient data is placed at risk and privacy laws may have been broken.

The US agency's investigation into the data breach found that Anthem's security measures to prevent external intrusion were inadequate.

CNET: Apple says 'dangerous' Australian encryption laws put 'everyone at risk'

The insurer did not admit liability, according to the AP, and the settlement fee was in lieu of civil penalties the agency could have imposed.

Under the terms of the agreement, Anthem will undertake a "corrective action plan," according to to the news agency, in order to boost internal security procedures and practices. This will also require government monitoring.

Anthem said in a statement on Monday that the company has not received any reports of identity theft or fraud stemming from the data breach. Credit monitoring was provided to customers following the incident.

"Anthem takes the security of its data and the personal information of consumers very seriously," the company said. "We have cooperated [...] throughout their review and have now reached a mutually acceptable resolution."

TechRepublic: 5 ways to build your company's defense against a data breach before it happens

The privacy settlement follows the closure of a class-action lawsuit levied against Anthem on behalf of customers impacted by the data breach. Anthem settled the suit for $115 million, but after legal costs, it has been estimated that customers claiming compensation may receive little more than a dollar each.

The 2015 Anthem data breach was a wake-up call for businesses in the healthcare industry to the real threat of cyberattacks but this has not stopped similar intrusions from taking place.

Earlier this year, Singapore's largest group of healthcare institutions, SingHealth, revealed that the non-medical personal data of 1.5 million individuals had been exposed by attackers, alongside the outpatient medical data of 160,000 patients.

Simple steps to erase your digital footprint

Previous and related coverage

Editorial standards