US regulator issues record data breach fine
The second-biggest health insurer in the US has been hit by a record-breaking $1.6m penalty for a data privacy breach dating back to 2015.
Anthem, which is based in Indianapolis, suffered a cyber-attack three years ago which compromised the personal information of almost 80 million individuals. Details accessed included names, dates of birth, social security numbers and medical identification.
The company provides insurance to over 40 million individuals and delivers single and employer coverage in New York and California, as well as other major markets.
The hack is the biggest in US healthcare history, the Chicago Sun Times reports, and the resultant fine the greatest ever issued by the Department of Health and Human Services for a healthcare privacy breach. The total is three times bigger than the previous record sum paid to the government in a privacy case.
An official for the US health agency emphasized how large breaches erode “people’s confidence” in the privacy of their sensitive information.
“We believe such a large breach of trust merits a substantial payment,” said Roger Severino, director of the HHS Office for Civil Rights.
“Hackers are out there always, and large healthcare entities, in particular, are targets,” Severino added.
Anthem must now also carry out an action plan under government supervision, which will see a full audit of the firm’s cyber risk to ensure the right measures will be carried out to combat future privacy threats.
Anthem has said the firm is not aware that any identity theft has taken place as a result of the breach, but credit monitoring and ID theft insurance has been issued to all potential victims.
“Anthem takes the security of its data and the personal information of consumers very seriously. We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution,” Anthem said.
While the breach was discovered in 2015, cyber attackers had been phishing employees on the Anthem systems for weeks prior, with specialists suggesting that the scale of the attack could mean the involvement of a foreign government. The security system at Anthem was eventually breached when hackers established the log-ins of IT administrators.
The investigation into the breach has concluded that Anthem did not have adequate measures in place to respond to the situation at the time and that the firm’s minimum access controls needed to close out intrusions had been lacking since early 2014.
While the General Data Protection Regulation (GDPR) is not enforceable in the US, this record-breaking penalty sends a clear message to global organisations that the American government is beginning to give personal data privacy the respect it demands.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/