Anthem Agrees to $48 Million Multi-State Settlements Over 2014 Data Breach

Rivkin Radler LLP

Rivkin Radler LLP

Health insurer Anthem, Inc. has finally reached a settlement with a coalition of 41 states plus the District of Columbia, and a separate settlement with California, to resolve state attorney general investigations of a data breach that occurred in 2014. Anthem has agreed to pay the states a total monetary penalty of $48.2 million.

The incident was the largest breach of healthcare data in U.S. history. Cyber attackers installed malware on Anthem’s information technology systems through a phishing email and, over the course of several months, were able to access protected information of over 78 million individuals, including names, dates of birth, social security numbers, healthcare identification numbers, addresses, emails, phone numbers, and employment information.

When Anthem announced the breach in early 2015, it triggered multiple investigations for violations of federal and state privacy laws. The U.S. Department of Health’s Office for Civil Rights (OCR) investigated the breach for a HIPAA violation and Anthem settled the case with OCR for $16 million in 2018. Anthem also settled a class action lawsuit brought on behalf of the individuals affected by the breach for $115 million in 2018. With the new settlements, Anthem will have paid a total of $179.2 million to settle legal actions and investigations as a result of the 2014 cyberattack.

Anthem has also agreed to take additional measures to strengthen its security practices going forward, including: (i) implementing a comprehensive information security program based on the principles of zero trust architecture; (ii) regular security reporting to Anthem’s Board of Directors and prompt notice of any security events to the company’s CEO; (iii) implementing additional security requirements such as multi-factor authentication, network segmentation, access controls, data encryption, and logging and monitoring of system activity; (iv) conducting regular security risk assessments, penetration tests and employee training; and (v) undergoing third-party security audits and assessments for three years.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.