Anthem Settles with 44 States for $40M Over 2014 Breach of 78.8M

October 01, 2020 - A multi-state coalition made up of 44 states and Washington, D.C reached a $39.5 million settlement with Anthem, to resolve breach claims stemming from the insurer’s 2014 cyberattack that compromised the data of 78.8 million patients. 

A foreign advanced persistent threat actor (APT) hacked into Anthem’s database beginning in February 2014. However, the insurer did not discover the breach until nearly a year later in January 2015. The access was gained after an employee opened a phishing email, which contained the malicious payload. 

In doing so, the threat actor gained remote access to the employee’s computer and at least 90 other systems within Anthem’s infrastructure, including its database. The compromised data included names, dates of birth, medical IDs, Social Security numbers, and contact details. Employment details were also compromised during the incident. 

It was the largest breach of 2015 and has remained the largest healthcare data breach, leading to a record-breaking $115 million class-action settlement with breach victims and the largest Office for Civil Rights settlement in the agency’s history for $16 million and a corrective action plan. The Department of Justice indicted the Chinese-based hacker behind the attack in 2019. 

The multi-state settlement will finally resolve all breach allegations stemming from the massive hack. 

“Companies, like Anthem, that collect and maintain personal information have a duty to maintain its security and privacy,” said Delaware Attorney General Kathy Jennings, in a statement. “Anthem breached that trust and today my office, together with other attorneys general, is holding it accountable.” 

“Consumers are left with little choice but to trust that their personal health information will be safe and secure,” said California Attorney General Xavier Becerra, in a statement. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return." 

The monetary settlement will be distributed to states according to the number of victims. California will receive $8.69 million, Delaware will receive $162,707, New York will receive $2.7 million, and Florida will receive $600,000, among other settlements. 

In addition to the monetary settlements, Anthem agreed to a series of provisions to strengthen its security practices. Those security requirements include a prohibition against misrepresentations about Anthem’s privacy and security practices for personal health information in its possession. 

Anthem must also implement a comprehensive information security program, which will include zero trust architecture, regular security reporting to the board of directors, and prompt notice of significant security events to the CEO. 

The agreement also includes specific security requirements, such as network segmentation, logging and monitoring, anti-virus maintenance, access controls, two-factor authentication, encryption, risk assessments, penetration testing, and employee training, in addition to other security requirements. 

The insurer must also incorporate third-party security assessments and audits for the next three years and is required to make its risk assessments available to a third-party assessor at that time. Anthem also agreed to further data security and good governance provisions to bolster its security. 

Immediately following the breach, Anthem provided victims with two years of free credit monitoring. 

In its own release, Anthem officials said they’ve invested in their security framework, as well as security hardware and software and employing 24-hour security monitoring. The insurer has also entered into relationships with external cybersecurity experts and is active with HITRUST. 

"Data breaches have far-reaching and long-lasting effects on people’s lives," Florida Attorney General Ashley Moody said in a statement. "When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage."

The multi-state settlement is indeed the largest stemming from a healthcare data breach, but closely followed by the $10 million agreement between Premera and 30 states for its 2014 hack that impacted 10.4 million patients.