Anthem Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services in connection to a series of cyberattacks that affected electronic protected health information it maintained for affiliated health plans and other covered entity health plans.

An investigation by the department's Office for Civil Rights found that between Dec. 2, 2014, and Jan. 27, 2015, cyberattackers stole electronic protected health information of almost 79 million individuals, including names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.

The investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents and failed to implement adequate minimum access controls to prevent cyberattackers from accessing sensitive electronic protected health information, beginning as early as Feb. 18, 2014.

To settle potential violations related to the attacks, Anthem has also agreed to undertake a corrective action plan to comply with the Health Insurance Portability and Accountability Act's privacy and security rules.