Health insurance company Anthem Inc. from Indianapolis, IN has resolved its multi-state lawsuits filed by state attorneys general due to its 78.8 M record data breach in 2014. One negotiation for $39.5 million was concluded with Attorneys General in 41 states along with Washington D.C. A separate $8.7 million settlement deal was arranged with the California Attorney General. The settlements concerned Federal and state laws that contributed to the largest healthcare data breach in the United States.
The cyberattack on Anthem took place in 2014. Hackers hit the health insurance company with phishing emails. Responses to the emails allowed the attackers to get a foothold in the system. Following that, the hackers had months of access to Anthem’s network and exfiltrated data from its consumer listings. The stolen information comprised of the names, contact details, dates of birth, Social Security numbers and health insurance ID numbers of current and past health plan members and personnel. Anthem reported the breach in February 2015. A Chinese individual and an unnamed participant were charged in relation to the cyberattack.
A breach on that enormity of course pulled in the notice of the HHS’ Office for Civil Rights (OCR), which looked into the breach and uncovered a number of potential HIPAA rules violations. Anthem settled the HIPAA violation case by giving to OCR $16 million in October 2018. The HIPAA violation fine was and still is, the highest ever financial fine required on a covered entity or business associate for violating the HIPAA Rules.
A lot of legal cases were filed on behalf of data breach victims because of stolen protected health information (PHI). Anthem paid the penalties of the merged class-action lawsuit for $115 million in 2018.
State Attorneys General reviewed the breach to find out whether or not HIPAA and state rules were violated. It had taken the multi-state investigation 5 years to arrive at a conclusion. Anthem has paid $179.2 M to take care of lawsuits and legal actions associated with the 2014 cyberattack.
Aside from the $48.2 million financial charges, Anthem accepted to do a few corrective actions to enhance data security methods. These include employing a detailed data security program using the guidelines of zero trust architecture. Security reports are sent regularly to the board of directors at this time and major security occurrences are reported quickly to the CEO.
Anthem has carried out network segmentation, data encryption, multi-factor authentication, access controls, logging and tracking information system activity. Anthem is doing frequent penetration tests and security risk assessments and provides security awareness training to its staff routinely. The corrective action plan likewise includes the necessity to go through third-party security reviews and assessments for three years and to give the findings of those audits to an independent assessor.
Anthem gave a statement in connection with the settlements expressing that Anthem does not admit to liabilities. Further, Anthem mentioned as well that there was no evidence found that suggest the use of any stolen data in connection with fraud or identity theft.
California Attorney General Xavier Becerra expressed that whenever people should disclose confidential personal data to health insurance companies, these firms are required to secure their customers’ personal information. Anthem was unable to accomplish that obligation to its clients. Anthem’s inadequate security and oversight impacted a lot of Americans. Now Anthem has to pay, in the millions, consequently.