Health care company Anthem Inc. has signed a settlement agreement with the Department of Health and Human Services (HHS) for $16 million after data from millions of customers was exposed in a 2014–2015 cyber attack.
While Anthem has not admitted fault, it also has agreed to follow a corrective action plan to be overseen by HHS for the next six years.
“Anthem takes the security of its data and the personal information of consumers very seriously,” Anthem said in an emailed statement. “The HHS Office for Civil Rights (OCR) has been reviewing the sophisticated cyber attack on Anthem that occurred in 2015. We have cooperated with the OCR throughout their review and have now reached a mutually acceptable resolution.”
The OCR was first alerted to the breach in March 2015 when Anthem filed a breach report. The company discovered the breach a month and a half earlier on Jan. 29, 2015, which HHS says could have been prevented, or at least contained, if it had taken “appropriate measures.”
Attackers sent a spear-phishing email to an Anthem subsidiariary, which at least one employee responded to, opening the door for hackers to steal the data of some 79 million people. The data stolen included addresses, medical identification numbers, dates of birth, social security numbers, and employment information.
Anthem believes the hackers first breached the system on Dec. 2, 2014, and had access to the data until Jan. 27, 2015, almost two months.
After an investigation, HHS determined that starting as early as Feb. 18, 2014, Anthem failed to take security precautions that would have alerted the company to a breach. The department took legal action on the grounds that the breach violated the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which protects patients health data.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in a statement. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Anthem did not respond directly to Severino’s accusation that the company didn’t have “strong password policies,” but it did address the timeliness of its response.
“At the time of the incident, our first priority was to ensure that our systems were secure, which we did by engaging a world-class security organization and the FBI,” Anthem said in an emailed statement. “Additionally, we provided initial notice within four business days, and credit protections within 11 business days.”
The company says it is not aware of any identity theft as a result of the stolen beneficiary data.
The California Department of Insurance also did an investigation into the breach, and concluded that Anthem had taken “reasonable measures” to protect its data and had a “rapid and effective” response to the breach once it was discovered.
While no government agencies have named the attackers, independent cyber security researchers believe a Chinese state-backed hacker group was behind it. The group goes by several names: KungFu Kittens, Group 72, PinkPanther, and, most famously, Deep Panda.
Deep Panda also has been linked to the 2015 attack on the U.S. Office of Personnel Management that stole background data on some 4 million past, current, and potential federal employees.
Security experts believe the Chinese regime wanted the data to get security access for its spies, or to compromise current U.S. government employees.