Anthem has agreed to pay the federal government $16 million in a settlement over its 2015 data breach that hit nearly 79 million people, HHS said Monday.
The agreement is by far the largest settlement reached by HHS' Office for Civil Rights for a Health Insurance Portability and Accountability Act breach. Hackers stole the names, birth dates, Social Security numbers, home addresses and other personal information in the 2015 cyberattack.
As part of the settlement, Anthem agreed to a corrective action plan where it will conduct a risk analysis and fix any deficiencies. HHS will oversee Anthem's work.
Office for Civil Rights Director Roger Severino acknowledged that healthcare companies are attractive targets for hacks, and they're expected to have adequate cybersecurity defenses.
"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history," Severino said in a statement. "Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information."
Anthem did not admit liability for the incident. The insurer on Monday said it isn't aware of any identity theft stemming from the 2015 attack.
"Anthem takes the security of its data and the personal information of consumers very seriously," the company said in a statement. "We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution."
In 2017, Anthem agreed to shell out $115 million to settle a class-action lawsuit over the breach, the largest data-breach settlement ever at the time. Anthem also offered class-action members two years of credit protection—in addition to the two years of monitoring they already received—and put $15 million aside for customers' out-of-pocket costs stemming from the breach.