Anthem Inc. has agreed to pay a group of states $39.5 million to settle claims the health insurer failed to safeguard its data, a breach that led to a massive computer hacking in 2015 that compromised the private information of 78.8 million customers and former customers.
The Indianapolis-based company announced the settlement agreement Wednesday morning with a group of state attorneys general investigating the cyberattack. Anthem did not admit to any wrongdoing.
“Anthem does not believe it violated the law in connection with its data security and is not admitting to any such violations in this settlement with the State Attorneys General,” the company said in the announcement.
Anthem said the settlement closes the last investigation into the hacking. The company earlier paid $115 million to settle more than 100 class action lawsuits accusing it of inadequate data security. It also agreed to pay the U.S. Department of Health and Human Services $16 million to settle potential privacy violations.
The personal information of tens of millions people—including names, birth dates, Social Security numbers and medical IDs—was exposed in the cyber-attack, discovered by the company in 2015.
Last year, a federal grand jury in Indianapolis indicted a Chinese national in connection with the massive computer hacking. The U.S. Justice Department said Chinese resident Fujie Wang, 32, and other members of a hacking group broke into the computer networks of Anthem and three other U.S. businesses and installed malware to thwart the systems and steal private information. The other hacked companies were not identified.
Wang and another defendant, identified only as John Doe, were charged with one count of conspiracy to commit fraud and related activity in relation to computers and identify theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.
The FBI has issued a “wanted” poster for Wang, who is believed to live in Shenzhen, China. It isn’t clear whether prosecutors would be able to bring him to the United States for trial if he is apprehended. The U.S. Attorney’s Office for the Southern District of Indiana declined to comment.
Prosecutors say the defendants used “extremely sophisticated techniques” to hack into Anthem’s computers and steal confidential business information and patient records. That included sending specially tailored “spearfishing” emails with embedded hyperlinks to employees.
After a user accessed the hyperlink, a file was downloaded that, when executed, deployed malware that compromised the user’s computer system by installing a tool known as a back door that gave the defendants remote access to the system.