Health insurer Anthem, Inc. has finally reached a settlement with a coalition of 41 states plus the District of Columbia, and a separate settlement with California, to resolve state attorney general investigations of a data breach that occurred in 2014. Anthem has agreed to pay the states a total monetary penalty of $48.2 million.
The incident was the largest breach of healthcare data in U.S. history. Cyber attackers installed malware on Anthem’s information technology systems through a phishing email and, over the course of several months, were able to access protected information of over 78 million individuals, including names, dates of birth, social security numbers, healthcare identification numbers, addresses, emails, phone numbers, and employment information.
When Anthem announced the breach in early 2015, it triggered multiple investigations for violations of federal and state privacy laws. The U.S. Department of Health’s Office for Civil Rights (OCR) investigated the breach for a HIPAA violation and Anthem settled the case with OCR for $16 million in 2018. Anthem also settled a class action lawsuit brought on behalf of the individuals affected by the breach for $115 million in 2018. With the new settlements, Anthem will have paid a total of $179.2 million to settle legal actions and investigations as a result of the 2014 cyberattack.
Anthem has also agreed to take additional measures to strengthen its security practices going forward, including: (i) implementing a comprehensive information security program based on the principles of zero trust architecture; (ii) regular security reporting to Anthem’s Board of Directors and prompt notice of any security events to the company’s CEO; (iii) implementing additional security requirements such as multi-factor authentication, network segmentation, access controls, data encryption, and logging and monitoring of system activity; (iv) conducting regular security risk assessments, penetration tests and employee training; and (v) undergoing third-party security audits and assessments for three years.