Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Insurer Anthem Will Pay Record $16M for Massive Data Breach

The nation’s second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.

The nation’s second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs — was exposed in the cyberattack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach, officials said.

“When you have large breaches it erodes people’s confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment,” said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that “hackers are out there always and large health care entities in particular are targets,” he added.

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

In a statement Monday, Anthem said it’s not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.

Advertisement. Scroll to continue reading.

“Anthem takes the security of its data and the personal information of consumers very seriously,” the statement said. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.

HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement “adequate minimum access controls” to shut down intrusions from as early as February 2014.

Related: Foreign Nation Behind Anthem Breach, Investigation Claims

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.