Health care company Anthem Inc. has signed a settlement agreement with the Department of Health and Human Services (HHS) for $16 million after data from millions of customers was exposed in a 2014–2015 cyber attack.
“Anthem takes the security of its data and the personal information of consumers very seriously,” Anthem said in an emailed statement. “The HHS Office for Civil Rights (OCR) has been reviewing the sophisticated cyber attack on Anthem that occurred in 2015. We have cooperated with the OCR throughout their review and have now reached a mutually acceptable resolution.”
The OCR was first alerted to the breach in March 2015 when Anthem filed a breach report. The company discovered the breach a month and a half earlier on Jan. 29, 2015, which HHS says could have been prevented, or at least contained, if it had taken “appropriate measures.”
Attackers sent a spear-phishing email to an Anthem subsidiariary, which at least one employee responded to, opening the door for hackers to steal the data of some 79 million people. The data stolen included addresses, medical identification numbers, dates of birth, social security numbers, and employment information.
Anthem believes the hackers first breached the system on Dec. 2, 2014, and had access to the data until Jan. 27, 2015, almost two months.
After an investigation, HHS determined that starting as early as Feb. 18, 2014, Anthem failed to take security precautions that would have alerted the company to a breach. The department took legal action on the grounds that the breach violated the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which protects patients health data.
Anthem did not respond directly to Severino’s accusation that the company didn’t have “strong password policies,” but it did address the timeliness of its response.
“At the time of the incident, our first priority was to ensure that our systems were secure, which we did by engaging a world-class security organization and the FBI,” Anthem said in an emailed statement. “Additionally, we provided initial notice within four business days, and credit protections within 11 business days.”
The company says it is not aware of any identity theft as a result of the stolen beneficiary data.
While no government agencies have named the attackers, independent cyber security researchers believe a Chinese state-backed hacker group was behind it. The group goes by several names: KungFu Kittens, Group 72, PinkPanther, and, most famously, Deep Panda.