Anthem Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services’ Office for Civil Rights in connection with the 2016 cyber attacks that exposed the health information of almost 79 million people.

The OCR said in a statement Tuesday that the agreement to pay $16 million settles potential violations of the Health Insurance Portability and Accountability Act’s privacy and security rules.

Anthem said in a statement the settlement agreement is not an admission it acted improperly.

The OCR said in its statement that Anthem filed a breach report with the HHS Office for Civil Rights stating it had discovered the attack on Jan. 29, 2015.

OCR’s investigation revealed that the personal data of almost 79 million individuals, including names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information had been stolen.

The statement said OCR’s investigation also revealed Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regulatory review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber attackers from accessing sensitive information.

Under terms of the settlement, Anthem will undertake “a robust correction action plan” to comply with HIPAA rules, the OCR said in its statement.

Anthem said in a statement it “takes the security of its data and the personal information of consumers very seriously.” It said, “We have cooperated with the OCR throughout their review and have now reached a mutually acceptable resolution.

“At the time of the incident, our first priority was to ensure that our systems were secure, which we did by engaging a world-class security organization and the FBI. 

“Additionally, we provided initial notice within 4 business days, and credit protections within 11 business days. We are not aware of any fraud or identity theft that has occurred as a result of this incident.

“Importantly, the agreement reached with OCR specifically states that it is not an ‘admission, concession, or evidence’ that Anthem acted improperly.”’

Anthem agreed to settle litigation over the hacking for $115 million in 2017.