A multi-state investigation by attorneys general in 42 states and Washington D.C. over the 78.8 million record data breach suffered by Anthem Inc. in 2014 has been settled. Anthem has agreed to pay $39.5 million to settle the multi-state action and a separate $8.69 million settlement has been reached with the California attorney general to resolve its investigation, which was conducted in parallel with the multi-state investigation.
Anthem was investigated by the state attorneys general after the health insurer announced its mega data breach in February 2015. Hackers had gained access to Anthem’s computer network after employees responded to phishing emails. The initial attack occurred in 2014. After gaining access to Anthem’s systems, the attackers spent months exploring the network and exfiltrating data from Anthem’s customer databases. Totaling 78.8 million records, the breach was the largest ever healthcare data breach. The hackers behind the attack stole consumers’ names, addresses, email addresses, Social Security numbers, healthcare identification numbers, and dates of birth.
Anthem reported the breach to law enforcement and has cooperated with the criminal investigation into the breach, which culminated in the Department of Justice indicting a Chinese hacker and an unnamed accomplice in 2019.
The attorneys general investigation revealed Anthem had multiple deficiencies in basic cybersecurity, which violated the Federal Health Insurance Portability and Accountability Act (HIPAA) and laws in multiple states. Anthem was found to have failed to limit access to computers containing sensitive data, had not protected credentials and passwords from unauthorized use, was not properly monitoring system activity and reviewing security logs to identify malicious activity, was not updating its security tools, along with other security failures.
“Companies, like Anthem, that collect and maintain personal information have a duty to maintain its security and privacy,” said Delaware Attorney General Kathy Jennings. “Anthem breached that trust and today my office, together with other attorneys general, is holding it accountable.”
In addition to paying the financial penalties, Anthem is required to update its information security program and take several actions to improve security. The settlement with California includes 22 security requirements including requirements for network segmentation, logging and monitoring, privileged account management, antivirus maintenance, access controls, remote access, multi-factor authentication, encryption, risk assessments, vulnerability management, email filtering, network sensors, and end user security awareness training.
Anthem is also required to conduct penetration tests and must arrange for a third-party audit of security annually for three years, and the findings from the security audit must be provided to a third-party assessor. Anthem settled the case with no admission of liability and maintained that the company had done nothing wrong.
“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said Attorney General Becerra. “Consumers are left with little choice but to trust that their personal health information will be safe and secure. Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”
This is not the only financial penalty Anthem has paid in connection with the data breach. The HHS’ Office for Civil Rights also investigated Anthem over the breach and discovered multiple violations of the HIPAA Rules – Risk analysis failure, insufficient reviews of system activity, failure to respond to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. OCR imposed its largest ever HIPAA fine on Anthem – $16 million. Anthem also settled a consolidated class action lawsuit for $115 million in 2018 which provided compensation to victims of the breach.