Anthem agreed to pay $39.5 million to settle an investigation by state attorneys general into the massive 2015 cyber-attack that exposed the personal information of nearly 79 million of the health insurer’s members and employees.
The settlement resolves the last open investigation of the breach, in which hackers stole the names, birth dates, Social Security numbers, home addresses and other information of current and former members and workers. Anthem said it does not believe it violated the law regarding data security and did not admit to doing so in the settlement.
Two years ago, Anthem paid HHS’ Office for Civil Rights $16 million to settle potential violations of the Health Insurance Portability and Accountability Act privacy and security rules. The Blue Cross and Blue Shield insurer also paid $115 million in 2017 to settle a class action over the breach.
Investigations into the cyberattack revealed that it occurred when a user at one of Anthem’s companies opened a phishing email with malicious content, allowing hackers to gain remote access to the computer and Anthem’s data warehouse. Anthem said there is no evidence that the hack has resulted in fraud.
Last year, two Chinese nationals were indicted by a federal grand jury for the attack.