Insurer Anthem will pay record $16M for massive data breach

Officials say the nation's second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs — was exposed in the cyberattack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach.

HHS Office for Civil Rights Director Roger Severino says "When you have large breaches it erodes people's confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment." The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that "hackers are out there always and large health care entities in particular are targets."

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California.

Dawn Kamber