Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Anthem settles with state AGs in cyber attack

October 1, 2020

Article

The settlement relates to a 2015 cyber attack that impacted 78.8 million customers.

Health insurance giant Anthem has settled with State Attorneys General from across the country in connection to a 2015 cyber attack on the company.

According to a news release, the company agreed to pay $39.5 million in settlement in connection to the multistate investigation. As part of the settlement, Anthem does not admit any violation of law connected to the attack from what the company called a “sophisticated state-sponsored criminal attack group.”

In a separate release, New York Attorney General Letitia James says that the breach, which occurred in 2014 but wasn’t disclosed by Anthem until February 2015, compromised the personal information of 78.8 million of Anthem’s customers across the country. The attackers were able to harvest names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information.

The James release says that Anthem will also be required to implement the following:

Prohibiting the misrepresentation of the extent to which Anthem protects the privacy and security of consumers’ personal information;

Implementing a comprehensive information security program that incorporates principles of zero trust architecture and includes regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;

Setting up specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and

Scheduling third-party security assessments and audits for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.

Anthem also previously entered into a class action settlement establishing a $115 million settlement fund to pay for additional credit monitoring, cash payments up to $50 per individual breached, and reimbursement for out-of-pocket losses for affected customers, the James release says.

No evidence was found that information obtained in the leak resulted in fraud, Anthem says.