Health insurer Anthem Inc. based in Indianapolis, IN has settled its multi-state actions filed by state attorneys general in relation to its 2014 78.8 million record data breach. One settlement deal for $39.5 million was decided with Attorneys General from 41 states and Washington D.C. A separate $8.7 million settlement was agreed with the California Attorney General. The settlements involved violations of Federal and state laws that led to the largest healthcare data breach in the United States.
The cyberattack on Anthem happened in 2014. Hackers attacked the health insurance provider with phishing emails. Replies to the emails enabled the attackers to gain a foothold in the system. After that, the hackers got months of access to Anthem’s network and exfiltrated information from its client directories. The stolen information included the names, contact data, birth dates, Social Security numbers, and medical insurance ID numbers of present and previous health plan members and staff. Anthem announced the breach in February 2015. A Chinese person and an anonymous conspirator were charged in association with the cyberattack.
A breach on that degree obviously drew the interest of the HHS’ Office for Civil Rights (OCR), which reviewed the breach and found several potential violations of the HIPAA law violations. Anthem resolved the HIPAA violation case by paying OCR $16 million last October 2018. The HIPAA violation fine was and still is, the biggest ever financial charges issued on a covered entity or business associate for violating the HIPAA Regulations.
Lots of lawsuits were filed on behalf of security breach victims involving the theft of their protected health information (PHI). Anthem resolved the combined class-action lawsuit for $115 M in 2018.
State Attorneys General looked into the breach to ascertain if HIPAA and state regulations were not complied with. It took the multi-state investigation 5 years to reach a decision. Anthem has already paid $179.2 million to resolve lawsuits and legal actions related to the 2014 phishing attack.
Besides the $48.2 M financial fine, Anthem consented to follow several corrective actions to better data security procedures. These include using a thorough data security program according to the concepts of zero trust architecture. Security reports are sent on a regular basis to the board of directors currently and important security incidents are reported immediately to the CEO.
Anthem has put in place data encryption, network segmentation, access controls, multi-factor authentication, recording and monitoring information system activity. Anthem is performing routine security risk assessments and penetration tests and gives security awareness HIPAA training to its employees regularly. The corrective action plan additionally includes the need to undertake third-party security reviews and assessments for three years, and to send the outcomes of those audits to a third-party assessor.
Anthem released a statement with regards to the settlements stating Anthem’s no admission of liabilities. Further, Anthem stated as well that there was no proof uncovered that show the usage of any stolen data in relation to identity theft or fraud.
California Attorney General Xavier Becerra stated that when individuals need to share confidential personal data to health insurance providers, these entities are obliged to protect their customers’ private information. Anthem did not perform that responsibility to its customers. Anthem’s insufficient security and oversight affected a huge number of Americans. Now Anthem needs to pay, in the millions, as a consequence.