$48.2 Million In HIPAA Penalties Paid by Anthem to Settles State Attorneys General Data Breach Investigations

Anthem Inc. has come to an agreement to settle actions by state attorneys general in different US states  in relation to the 2014 78.8 million record data breach.

Along with the $48.2 million financial penalty, Anthem has committed to implementing a number of corrective actions to better data security practices. These include steps such as configuring a thorough information security program using the principles of zero trust architecture. Ongoing security updates are now shared with the board of directors and significant security events are reported as soon as possible to the CEO.

In relation to the different settlements, one was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements address breaches of Federal and state laws that lead to the data breach – the largest breach of healthcare data witnessed in the United States to date.

The cyberattack on Anthem took place during when hackers focused on the health insurance provider using phishing emails. Anyone who answered these mails inadvertently allowed a a foothold to the network to be established. From there, the hackers spent months looking through Anthem’s network and stealing data from its customer databases. Data such as names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees was stolen in the attack. This hack was made public by Anthem in February 2015 and a Chinese national and an unidentified partner were linked with the cyberattack. This arrest took place during May 2019.

The HHS’ Office for Civil Rights (OCR) held an inquiry into the breach and found  a number of possible breaches of the HIPAA Rules. Anthem settled the HIPAA violation with OCR for $16 million in October 2018. The HIPAA violation fine was, and still is, the largest ever financial penalty sanctioned against a covered entity or business associate for breaches of the HIPAA Rules.

Many legal actions were submitted on behalf of victims of the data breach over the stealing of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115m.

State Attorneys General reviewed the breach to see if HIPAA and state legislation had been broken. The multi-state investigation has taken some five years to complete, but the settlements now bring an end to it. Anthem has now paid, in total to date, $179.2 million to settle lawsuits and legal actions in relation to the 2014 cyberattack.

To address the breach Anthem has configured multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is carrying out ongoing security risk assessments and penetration tests and conducts regular security awareness training for its staff. The corrective steps also include obligated undergo third-party security audits and assessments for three years, and to provide the reports from those audits to a third-party assessor.

Anthem released a statement in relation saying: “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft. When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”