Anthem will pay $39.5 million in a settlement related to one of the biggest healthcare data breaches to date. Between December 2014 and January 2015, the insurer was hit by a cyberattack that resulted in the personal health information of nearly 79 million people being compromised, including their names, addresses, social security numbers and medical identification numbers.
According to an investigation by the Department of Health and Human Services’ Office of Civil Rights (OCR), hackers gained access to Anthem’s system through targeted phishing emails sent to one of its subsidiaries. Last year, the Department of Justice indicted two people in connection with the hack, though little was shared about their motives or affiliation.
The breach resulted in Anthem paying a $16 million HIPAA settlement to OCR and settling a class action lawsuit for $115 million in 2018.
The recent settlement is related to a separate investigation brought forth by a group of state attorneys general, including New York, Connecticut, Illinois, Indiana, Kentucky, Massachusetts and Missouri.
In addition to paying nearly $40 million, the insurer will also make changes to its security protocols, including implementing a comprehensive information security program, and setting up specific requirements for segmentation, monitoring, encryption and employee training. Anthem must also schedule third-party security assessments and audits for three years.
In a statement released on Wednesday, Anthem said it would continue to invest in its security, and said no evidence has been found that the attack has resulted in fraud.
“The company is pleased to have resolved this matter, which is the last open investigation related to the 2015 cyber-attack. Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement with the State Attorneys General,” the company stated.
Photo credit: Getty Images, weerapatkiatdumrong