In late 2018, Anthem Inc., an independent carrier of the Blue Cross and Blue Shield Association, settled two major claims made against them in the wake of a 2015 security breach that exposed the confidential personal and employment data of 79 million people.
The breach that precipated these civil actions occurred when an employee at one of Anthem’s subsidiary companies opened a phishing email with malicious content, which allowed hackers remote access into Anthem’s data warehouse and other computer systems, ultimatedly exposing names, date of birth, social security numbers, street addresses, and employee income figures. The “continuous and targeted” attacks went undetected from the beginning of December, 2014 to late January, 2015, which is how such a large number of consumers and Anthem employees were affected.
In August, U.S. District Judge Lucy Koh gave final approval for the first settlement, the result of a 2017 class action lawsuit, awarding $115 million to the consumers whose data was exposed. Judge Koh’s ruling puts an end to any further civil claims against Anthem and follows on the heels of a judgment ordering Anthem to provide victims of the breach with two years of credit monitoring — or cash for those who already had access to credit monitoring — and reimbursement of any out-of-pocket costs victims had related to the breach. That settlement also ordered Anthem to shore up its security protection measures of personal data in the event of another cybersecurity attack.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) also sued Anthem, claiming that the breach constituted multiple violations of the Health Insurance Portability and Accountability Act (HIPAA). In October, 2018, Anthem agreed to pay the government agency $16 million, the largest settlement of it kind to date, eclipsing a $5.55 million settlement that OCR received in 2016 from Memorial Healthcare System.
Anthem did not admit liability as part of its settlement to the federal government. However, in addition to paying out the financial damages, Anthem agreed to conduct a risk analysis of its security systems and correct any deficiencies it finds. HHS will oversee Anthem’s progress in this endeavor.
OCR Director Roger Severino announced, in a media release, that the health insurance giant “failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” He went on to observe, “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
The OCR found that Anthem had not taken sufficient steps to protect its security systems from cyberattacks. In particular, the company had failed to conduct an enterprise-wide risk analysis, nor did they have sufficient procedures in place to review information system activity. Moreover, they had failed to identify and react to suspected or actual security breaches, and they did not implement even the minimum level of controls that could have prevented the cyber-attackers from gaining access to sensitive ePHI.
Anthem responded by saying that they responded swiftly when they learned of the breach, and that their first priority was to make sure that the systems were secure. “Additionally,” a company spokesperson said, “we provided initial notice within four business days, and credit protections within 11 business days.” The company says that they were unaware of any identity theft or fraud stemming from the cyber-attacks.
In addition to these civil actions, the California Department of Insurance launched a probe into the cyberattack itself. In a statement, Insurance Commissioner Dave Jones said that their examination team concluded “with a significant degree of confidence” that the cyber attacker had acted on behalf of a foreign government.
In stark contrast to the OCR’s description of a company unprepared to handle a cyber-attack of this scope, investigators with the California Department of Insurance found that Anthem had taken reasonable measures to protect its data before the breach took place and that they had used a remediation plan, which allowed for a quick response once they detected the breach. They also noted that Anthem was amenable to addressing its security vulnerabilities. At the end of their investigation, they concluded that the company’s existing and planned improvements to its cybersecurity protocol were reasonable.