September 30, 2020

Anthem To Pay Nearly $40M Settlement Over 2015 Cyberattack

FILE - In this May 14, 2019, file photo signage on the outside of the corporate headquarters building of health insurance company Anthem is shown in Indianapolis. Anthem has agreed to another multi-million dollar-settlement over a cyberattack on its technology that exposed the personal information of nearly 79 million people. - AP Photo/Michael Conroy, File

FILE - In this May 14, 2019, file photo signage on the outside of the corporate headquarters building of health insurance company Anthem is shown in Indianapolis. Anthem has agreed to another multi-million dollar-settlement over a cyberattack on its technology that exposed the personal information of nearly 79 million people.

AP Photo/Michael Conroy, File
TOM MURPHY - AP Health Writer

INDIANAPOLIS (AP) — Health insurer Anthem has agreed to another multimillion-dollar settlement over a cyberattack on its technology that exposed the personal information of nearly 79 million people.

The Blue Cross-Blue Shield insurer said Wednesday that it will pay $39.5 million to settle an investigation by a group of state attorneys general. Anthem said it was the last open investigation into the attack.

The company also agreed nearly two years ago with the U.S. Department of Health and Human Services to pay $16 million to settle possible privacy violations.

Indianapolis-based Anthem Inc. provides health insurance coverage to more than 42 million people in several states, including key markets like California and New York.

The company discovered the data breach in early 2015 after hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.

The attack exposed information that included names, birthdates, Social Security numbers and medical IDs.

Last year, a federal grand jury indicted two members of a hacking group operating from China in the attack.

Anthem said Wednesday that it was the victim of a “sophisticated state sponsored criminal attack group” in the attack. The insurer said it did not believe it violated the law in connection with its data security, and it was not admitting to that with its latest settlement.

The insurer also said that it has found no evidence that information obtained in the attack led to fraud.

Shares of Anthem climbed nearly 3 percent to $267.21 in morning trading, while broader indexes rose around 1 percent.

Support independent journalism today. You rely on WFYI to stay informed, and we depend on you to make our work possible. Donate to power our nonprofit reporting today. Give now.

 

Related News

They live in their cars and can't find safe parking. Advocates want to change that
Indiana hospitals struggle with IV fluid shortage following Hurricane Helene
All Indiana counties have a mental health workforce shortage. A new report provides solutions