Anthem has agreed to pay $39.5 million in penalties and fees resulting from a sweeping 2015 cyberattack on the health insurer as part of a multi-state settlement, the company announced Wednesday.
It’s the latest fallout from a major data breach that exposed data on some 79 million people, and which U.S. authorities have blamed on a Chinese hacker.
The settlement, based on an investigation by attorneys general in over 40 states, requires Anthem to implement a security program that includes penetration-testing, and logging and monitoring of networks. It also bars Anthem from misrepresenting how the company protects its customers’ privacy and security, according to the New York attorney general’s office.
“The company is pleased to have resolved this matter, which is the last open investigation related to the 2015 cyberattack,” Indianapolis-based Anthem said in a statement, adding that it has an “ongoing and consistent focus on protecting information.”
The repercussions of the Anthem hack are an example of how big companies in various sectors, ranging from Capital One to Fiserv, are being forced to defend their information security practices in litigation.
The incident at Anthem, one of the largest U.S. health insurers, began in February 2014, with a phishing email to one of Anthem’s subsidiaries. Anthem did not discover the intrusion until months later, and announced it in February 2015.
The impact was dramatic. The hackers stole sensitive personal data, including Social Security numbers, and prompted a record $16 million settlement with the U.S. government over potential Health Insurance Portability and Accountability Act violations. A separate $115 million settlement in 2017 forced Anthem to pay credit monitoring and reimbursement fees to customers.
Anthem found no evidence of fraud stemming from the hack, the company reiterated on Wednesday.
A 2019 indictment of an accused Chinese hacker for the Anthem breach did not point the finger directly at Beijing. But U.S. government officials have cited that breach, along with other major hacks at the Office of Personnel Management and credit-monitoring firm Equifax, as potential intelligence bonanzas for the Chinese government. Beijing has denied having a role in the hacks.
In its statement, Anthem referred to the cyberattack as a “state-sponsored crime.”