Anthem agrees to pay $39.5M in latest settlement over 2015 hacking


Anthem Inc. has agreed to pay a group of states $39.5 million to settle claims the health insurer failed to safeguard its data, a breach that led to a massive computer hacking in 2015 that compromised the private information of 78.8 million customers and former customers.

The Indianapolis-based company announced the settlement agreement Wednesday morning with a group of state attorneys general investigating the cyberattack. Anthem did not admit to any wrongdoing.

“Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement with the State Attorneys General,” the company said in the announcement.

Anthem said the settlement closes the last investigation into the hacking. The company earlier paid $115 million to settle more than 100 class action lawsuits accusing it of inadequate data security. It also agreed to pay the U.S. Department of Health and Human Services $16 million to settle potential privacy violations.

The personal information of tens of millions people—including names, birth dates, Social Security numbers and medical IDs—was exposed in the cyber-attack, discovered by the company in 2015.

Last year, a federal grand jury in Indianapolis indicted a Chinese national in connection with the massive computer hacking. The U.S. Justice Department said Chinese resident Fujie Wang, 32, and other members of a hacking group broke into the computer networks of Anthem and three other U.S. businesses and installed malware to thwart the systems and steal private information. The other hacked companies were not identified.

Wang and another defendant, identified only as John Doe, were charged with one count of conspiracy to commit fraud and related activity in relation to computers and identify theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.

The FBI has issued a “wanted” poster for Wang, who is believed to live in Shenzhen, China. It isn’t clear whether prosecutors would be able to bring him to the United States for trial if he is apprehended. The U.S. Attorney’s Office for the Southern District of Indiana declined to comment.

Prosecutors say the defendants used “extremely sophisticated techniques” to hack into Anthem’s computers and steal confidential business information and patient records. That included sending specially tailored “spearfishing” emails with embedded hyperlinks to employees.

After a user accessed the hyperlink, a file was downloaded that, when executed, deployed malware that compromised the user’s computer system by installing a tool known as a back door that gave the defendants remote access to the system.

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.

5 thoughts on “Anthem agrees to pay $39.5M in latest settlement over 2015 hacking

  1. It’s been 5 years so I don’t remember for sure about this, but I think I was notified that I was one of the 78 million people whose account data was hacked. Also also have no memory of ever getting any settlement. So it’s interesting to me that Anthem “earlier” paid $115 million as part of several class action lawsuits (a lousy $1.46 each, less attorneys’ fees) and now a group of states are getting $39.5 million (that would be $0.50 each). Does anyone remember getting any money or did they offer free credit monitoring for a year or some other such pitiful recompense?

    Anthem probably uses “commercially reasonable” efforts to secure their data and no company is bulletproof. Yet they also make billions a year on profit and could likely afford to disgorge more than $150MM for whatever back doors they had in their systems to ensure they take it more seriously in the future. Thoughts?

    1. I was one affected (thru my employer medical policy). I am still receiving monitoring, not of my credit accounts, but that none of my compromised info is appearing where it shouldn’t. I presume that means out for sale somewhere on the dark web.

  2. Yes my question as well. Who actually gets the money and/or is going to be getting this settlement money? I certainly hope it is not the States and HHS as they were not the ones damaged by this breach. But my fear is that the dollars will end up in the States’ coffers like all other fines and penalties. Anyone know the answer here?

    1. It’s like when Gov’t imposed 17k fines per person if you were stuck on a plane longer than 3 hours. Passengers saw nothing, FAA kept it. Passengers got to reschedule their flights for free, which they would have done anyway.

{{ articles_remaining }}
Free {{ article_text }} Remaining
{{ articles_remaining }}
Free {{ article_text }} Remaining Article limit resets in {{ count_down }} days.