$48.2 Million In HIPAA Penalties Paid by Anthem to Settles State Attorneys General Data Breach Investigations

by | Oct 2, 2020

Anthem Inc. has come to an agreement to settle actions by state attorneys general in different US states  in relation to the 2014 78.8 million record data breach.

Along with the $48.2 million financial penalty, Anthem has committed to implementing a number of corrective actions to better data security practices. These include steps such as configuring a thorough information security program using the principles of zero trust architecture. Ongoing security updates are now shared with the board of directors and significant security events are reported as soon as possible to the CEO.

In relation to the different settlements, one was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements address breaches of Federal and state laws that lead to the data breach – the largest breach of healthcare data witnessed in the United States to date.

The cyberattack on Anthem took place during when hackers focused on the health insurance provider using phishing emails. Anyone who answered these mails inadvertently allowed a a foothold to the network to be established. From there, the hackers spent months looking through Anthem’s network and stealing data from its customer databases. Data such as names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees was stolen in the attack. This hack was made public by Anthem in February 2015 and a Chinese national and an unidentified partner were linked with the cyberattack. This arrest took place during May 2019.

The HHS’ Office for Civil Rights (OCR) held an inquiry into the breach and found  a number of possible breaches of the HIPAA Rules. Anthem settled the HIPAA violation with OCR for $16 million in October 2018. The HIPAA violation fine was, and still is, the largest ever financial penalty sanctioned against a covered entity or business associate for breaches of the HIPAA compliance rules.

Many legal actions were submitted on behalf of victims of the data breach over the stealing of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115m.

State Attorneys General reviewed the breach to see if HIPAA and state legislation had been broken. The multi-state investigation has taken some five years to complete, but the settlements now bring an end to it. Anthem has now paid, in total to date, $179.2 million to settle lawsuits and legal actions in relation to the 2014 cyberattack.

To address the breach Anthem has configured multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is carrying out ongoing security risk assessments and penetration tests and conducts regular security awareness training for its staff. The corrective steps also include obligated undergo third-party security audits and assessments for three years, and to provide the reports from those audits to a third-party assessor.

Anthem released a statement in relation saying: “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft. When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy