Anthem Hit With $48 Million in Additional Breach Penalties
The attorneys general of 41 states, plus Washington, D.C., have slapped health insurer Anthem Inc. with a $39.5 million settlement in the wake of a 2014 cyberattack that affected nearly 79 million individuals. Meanwhile, the attorney general of California signed a separate but similar $8.7 million settlement with the health insurer. The settlements announced Wednesday follow a $115 million settlement Anthem signed in 2018 to resolve a consolidated class action lawsuit, plus a record $16 million HIPAA settlement that same year with the Department of Health and Human Services' Office for Civil Rights.
In 2015, Anthem revealed a data breach exposing the personal information of 78 million consumers, including over 13.5 million Californians, the California statement notes.
The data included names, addresses, email addresses, Social Security numbers, healthcare identification numbers and dates of birth. Hackers sent targeted phishing emails containing malware to Anthem's employees to steal credentials so they could access the insurance company's network, and then they spent months stealing information from Anthem's most sensitive database containing consumers' personal information, the California statement notes.
According to the California attorney general, an investigation into the incident found Anthem had numerous security deficiencies, including the failure to limit access to computers holding sensitive information, protect account credentials and passwords from unauthorized use, update security tools and adequately log and monitor network activity to detect malicious activity.
"When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data," Becerra said. "Anthem failed in that duty to its customers. Anthem's lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return." Under the settlement with California, as well as the multistate settlement, Anthem has agreed to take a number of corrective actions to improve its data security practices.
In its statement, the New York attorney general's office says Anthem's corrective actions include Implementing a comprehensive information security program that incorporates principles of "zero trust" architecture and includes regular security reporting to the board of directors and prompt notice of significant security events to the CEO.