The nation’s second-largest insurer will pay HHS’ Office for Civil Rights $16 million over a 2015 data breach that affected almost 79 million people, the largest data breach ever reported to the agency.
“The security risk analysis is not a check-the-box activity,” said Beth Pitman, counsel for law firm Waller Lansden Dortch & Davis. “It needs to be updated regularly and incorporated into the business processes of the entity.”
Before Anthem, OCR’s highest fine was $5.5 million—levied against Hollywood, Fla.-based Memorial Health System in 2017 for a breach that affected more than 115,000 people.
In Anthem’s case, hackers broke into the network to steal names, birthdates, Social Security numbers, home addresses and other information of current and former members and employees.
Anthem should have conducted an enterprise-wide risk analysis and put minimum access controls in place to prevent hackers from getting information once they were in the system, according to the OCR.
“It’s not just about all the things…
