Anthem to Pay Record $16M as Settlement for Privacy Violations
The Anthem settlement is nearly three times larger than the previous highest amount paid to the government in a privacy case. In other health industry news: telemedicine fraud, tariffs, and healthcare construction, and electronic health records.
One of United States biggest health insurer has agreed to pay the government a record $16 million to settle potential security infringement in the greatest known healthcare hack in the history of the US, authorities said Monday.
The personal data and other information of nearly 79 million people were exposed, which included; names, birth dates, social security numbers, and medical IDs.
The settlement speaks to the biggest sum gathered by the government in a healthcare data break, authorities said.
Roger Severino, director of the HHS Office for Civil Rights said “When you have large breaches it erodes people’s confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment. The office also enforces the federal health care privacy law known as HIPAA or the Health Insurance Portability and Accountability Act”.
The Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that “hackers are out there always and large health care entities, in particular, are targets,” said Severino.
The Blue Cross-Blue Shield insurer also consented to fix thing under the supervision of the government, which includes a procedure for the organization to evaluate its electronic security risks, take proper countermeasures and continuous monitoring.
Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.
Anthem covers in excess of 40 million individuals and offers individual and employer coverage in key markets like California and New York. The payment is in lieu of common punishments imposed by the HHS.
Anthem in a statement on Monday said “it’s not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.
Anthem takes the security of its data and the personal information of consumers very seriously. We have cooperated with the government throughout their review and have now reached a mutually acceptable resolution.”
The organization detected the data breach in 2015, but the hackers had already made their presence and have tunnelled into their system for a long time. Security specialists said at the time that looking at the modus operandi of the attack it clearly demonstrated a potential involvement of a foreign government.
The Hacker used the typical email spear-phishing method in which ignorant company insiders are tricked into revealing usernames and passwords. The attackers of Anthem picked up the credentials of the system administrator, allowing them to dig deep into their systems.
HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprise wide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement “adequate minimum access controls” to shut down intrusions from as early as February 2014.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.