October 9, 2020

Anthem Agrees to $48 Million Multi-State Settlements Over 2014 Data Breach

Rivkin Radler LLP

+ Follow Contact

Send

Embed

Rivkin Radler LLP

Health insurer Anthem, Inc. has finally reached a settlement with a coalition of 41 states plus the District of Columbia, and a separate settlement with California, to resolve state attorney general investigations of a data breach that occurred in 2014. Anthem has agreed to pay the states a total monetary penalty of $48.2 million.

The incident was the largest breach of healthcare data in U.S. history. Cyber attackers installed malware on Anthem’s information technology systems through a phishing email and, over the course of several months, were able to access protected information of over 78 million individuals, including names, dates of birth, social security numbers, healthcare identification numbers, addresses, emails, phone numbers, and employment information.

When Anthem announced the breach in early 2015, it triggered multiple investigations for violations of federal and state privacy laws. The U.S. Department of Health’s Office for Civil Rights (OCR) investigated the breach for a HIPAA violation and Anthem settled the case with OCR for $16 million in 2018. Anthem also settled a class action lawsuit brought on behalf of the individuals affected by the breach for $115 million in 2018. With the new settlements, Anthem will have paid a total of $179.2 million to settle legal actions and investigations as a result of the 2014 cyberattack.

Anthem has also agreed to take additional measures to strengthen its security practices going forward, including: (i) implementing a comprehensive information security program based on the principles of zero trust architecture; (ii) regular security reporting to Anthem’s Board of Directors and prompt notice of any security events to the company’s CEO; (iii) implementing additional security requirements such as multi-factor authentication, network segmentation, access controls, data encryption, and logging and monitoring of system activity; (iv) conducting regular security risk assessments, penetration tests and employee training; and (v) undergoing third-party security audits and assessments for three years.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Rivkin Radler LLP

Contact + Follow

Ada Janocinska

+ Follow

less

Published In:

Anthem Insurance

+ Follow

Class Action

+ Follow

Cyber Attacks

+ Follow

Cybersecurity

+ Follow

Data Breach

+ Follow

Data Privacy

+ Follow

Department of Health and Human Services (HHS)

+ Follow

Electronic Protected Health Information (ePHI)

+ Follow

Hackers

+ Follow

HIPAA Breach

+ Follow

Multi-Factor Authentication

+ Follow

OCR

+ Follow

Personally Identifiable Information

+ Follow

Privacy Laws

+ Follow

Security Audits

+ Follow

Security Risk Assessments

+ Follow

Settlement

+ Follow

Civil Remedies

+ Follow

Health

+ Follow

Science, Computers & Technology

+ Follow

less

Rivkin Radler LLP on:

Anthem Agrees to $48 Million Multi-State Settlements Over 2014 Data Breach

Related Posts

Latest Posts

Written by:

Published In:

Rivkin Radler LLP on:

"My best business intelligence, in one easy email…"