A foreign threat actor by the name of ATP hacked into Anthem’s database back in February 2014 when an employee opened a phishing email that contained a malicious payload.
Anthem did not discover the breach until January 2015, almost a year later.
The attack compromised the data of 78.8 million patients between the period of February 2014 and January 2015.
The hackers obtained remote access to the employees computer and at least 90 other systems within Anthem’s infrastructure, including its database.
The compromised data included names, dates of birth, medical IDs, Social Security numbers, and contact details. Employment details were also compromised during the incident.
The Department of Justice indicted the Chinese-based hacker behind the attack in 2019 but a lot of damage had already been done.
The attack on Anthem was the largest breach in 2015 and has remained the largest data breach leading to a record breaking $115 million class action settlement with breach victims and the largest Office for Civil Rights settlement in the agency’s history for $16 million and a corrective action plan.
“Companies, like Anthem, that collect and maintain personal information have a duty to maintain its security and privacy,” said Delaware Attorney General Kathy Jennings, in a statement. “Anthem breached that trust and today my office, together with other attorneys general, is holding it accountable.”
“Consumers are left with little choice but to trust that their personal health information will be safe and secure,” said California Attorney General Xavier Becerra, in a statement. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”
The settlement money will be distributed to each state and is determined by the number of victims in each state.
For example: California will receive $8.69 million, Delaware will receive $162,707, New York will receive $2.7 million, and Florida will receive $600,000, among other settlements.
Anthem is also required to strengthen their security practices and implement a comprehensive information security program.
The information security program include zero trust architecture, regular security reporting to the board of directors, and prompt notice of significant security events to the CEO.
Furthermore, Anthem must implement security practices such as network segmentation, logging and monitoring, anti-virus maintenance, access controls, two-factor authentication, encryption, risk assessments, penetration testing, and employee training, in addition to other security requirements.
Third-party security assessments and audits are required for the next three years and is required to make its risk assessments available to a third-party assessor at that time.