Share this article on:
The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million. The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States.
The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed accomplice were charged in connection with the cyberattack in May 2019.
A breach on that scale naturally attracted the attention of the HHS’ Office for Civil Rights (OCR), which investigated the breach and discovered multiple potential violations of the HIPAA Rules. Anthem settled the HIPAA violation case with OCR for $16 million in October 2018. The HIPAA violation penalty was, and still is, the largest ever financial penalty imposed on a covered entity or business associate for violations of the HIPAA Rules.
Many lawsuits were filed on behalf of victims of the data breach over the theft of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115 million.
State Attorneys General investigated the breach to determine whether HIPAA and state laws had been violated. The multi-state investigation has taken 5 years to come to a conclusion, but the settlements now draw a line under the breach. Anthem has now paid $179.2 million to settle lawsuits and legal actions over the 2014 cyberattack.
In addition to the $48.2 million financial penalty, Anthem agreed to take a number of corrective actions to improve data security practices. These include implementing a comprehensive information security program based on the principles of zero trust architecture. Regular security reports are now sent to the board of directors and significant security events are reported promptly to the CEO.
Anthem has implemented multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is conducting regular security risk assessments and penetration tests and provides regular security awareness training to its workforce. The corrective action plan also includes the requirement to undergo third-party security audits and assessments for three years, and to provide the results of those audits to a third-party assessor.
Anthem issued a statement in relation to the settlements saying, “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft.
“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”