Anthem Hit With $48 Million in Additional Breach PenaltiesSettlements Tied to 2014 Breach Also Require Insurer to Take Security Steps
The attorneys general of 41 states, plus Washington, D.C., have slapped health insurer Anthem Inc. with a $39.5 million settlement in the wake of a 2014 cyberattack that affected nearly 79 million individuals.
Meanwhile, the attorney general of California signed a separate but similar $8.7 million settlement with the health insurer.
The settlements announced Wednesday follow a $115 million settlement Anthem signed in 2018 to resolve a consolidated class action lawsuit, plus a record $16 million HIPAA settlement that same year with the Department of Health and Human Services' Office for Civil Rights.
"Regulators are clearly responding to fears raised by citizens who are concerned about becoming victims of identity theft and fraud," says privacy attorney David Holtzman of the consultancy HITprivacy LLC.
In a statement, California Attorney General Xavier Becerra noted the state's settlement resolves allegations that Anthem violated California's consumer protection laws as well as HIPAA.
The multistate settlement also alleges violations of HIPAA as well as various other state laws.
"When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data," Becerra said. "Anthem failed in that duty to its customers. Anthem's lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return."
In 2015, Anthem revealed a data breach exposing the personal information of 78 million consumers, including over 13.5 million Californians, the California statement notes.
The data included names, addresses, email addresses, Social Security numbers, healthcare identification numbers and dates of birth.
Hackers sent targeted phishing emails containing malware to Anthem's employees to steal credentials so they could access the insurance company's network, and then they spent months stealing information from Anthem's most sensitive database containing consumers' personal information, the California statement notes.
According to the California attorney general, an investigation into the incident found Anthem had numerous security deficiencies, including the failure to limit access to computers holding sensitive information, protect account credentials and passwords from unauthorized use, update security tools and adequately log and monitor network activity to detect malicious activity.
Under the settlement with California, as well as the multistate settlement, Anthem has agreed to take a number of corrective actions to improve its data security practices.
In its statement, the New York attorney general's office says Anthem's corrective actions include:
- Implementing a comprehensive information security program that incorporates principles of "zero trust" architecture and includes regular security reporting to the board of directors and prompt notice of significant security events to the CEO;
- Setting up security requirements for segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training;
- Scheduling third-party security assessments and audits for three years and making them available to a third-party assessor.
Under the settlements, the health insurer is prohibited from making "the misrepresentation of the extent to which Anthem protects the privacy and security of consumers' personal information," the New York attorney general's statement notes.
Last year, two Chinese men were indicted on charges related to the breach of Anthem (see Chinese Men Charged in Hacking of Anthem).
Indictment documents in the case provided details into how Anthem and several other companies fell victim to hacking attacks allegedly carried out by the two men, plus three others.
Court documents note the breach-related activity started around February 2014. Hackers sent employees of several companies, including Anthem, phishing emails with malicious hyperlinks leading to malware. If executed, a backdoor was installed. The attackers then sought to move laterally across the victims' networks, escalating privileges and making network changes, according to the indictment.
The hackers then searched for personally identifiable and confidential information and found Anthem's enterprise data warehouse that contained data on 78.8 million individuals.
The two defendants ran queries on the data and then placed it in encrypted archive files, prosecutors allege. The attackers created a free trial account with Citrix's ShareFile data storage and transferred the data to other servers in the U.S.
The data was then transferred to China, prosecutors allege. Eventually, the defendants deleted the archives and ShareFile application. Anthem discovered the activity on Jan. 31, 2015, and the attackers lost access, the indictment says.
In a statement about the settlement, the Connecticut attorney general's office, which took a lead role in the multistate settlement with Anthem, noted that the state also co-led the multistate investigation into the 2017 Equifax data breach that culminated in a $600 million settlement.
In a statement Wednesday, Anthem noted the company "does not believe it violated the law in connection with its data security and is not admitting to any such violations" in the state settlements.
No evidence has been found that information obtained through the 2015 cyberattack targeting Anthem has resulted in fraud, the company says.
"Anthem continues to invest in a secure framework, security software and hardware, 24/7/365 security monitoring and relationships with external cybersecurity experts and ... will continue to collaborate with state and federal regulators and partners in this critical work," the statement says.
Privacy attorney Iliana Peters of the law firm Polsinelli says the Anthem settlements with the states are a wake-up call for other healthcare sector entities.
"It's very important for HIPAA covered entities and business associates to understand that their legal risk with regard to state liability under HIPAA and under state data protection laws just continues to increase, particularly with involvement of state attorneys general in multiple states with regard to breaches by a single entity," she says.
"In other words, the state attorneys general appear to be pooling their resources more often recently to undertake a settlement with a particular entity to address data privacy and security issues that implicate HIPAA and the laws of multiple states."