3 min read

Anthem settles with 44 states for additional $40M over 2015 breach

Rikin Shah October 15, 2020

Healthcare cybersecurity news
Anthem logo
Anthem logo When it comes to catching business associates that violate HIPAA authorities are quick to dole out fines in the millions of dollars to companies that have flaunted the rules.  This is precisely what happened with the 2015 Anthem breach where the second-largest health insurance provider in the world (after Blue Cross Blue Shield) paid a $16 million HIPAA fine and settled a class-action lawsuit for $115 million.  The fallout continues today, five years later.  The company has recently settled to pay out an additional $40 million to 44 different states as a result of further investigations and litigation into damages.  

 

Background

Back in 2015, we wrote an article about Anthem's enormous class-action lawsuit and did some simple math for you: since 80 million people are covered through Anthem, that means that around a quarter of the United States of America had their protected health information (PHI) , such as names, birthdates, social security numbers, and medical identification, leaked.  This was a result of Anthem not encrypting their databases, and we've certainly learned a lot about encryption since then. In fact, entire products have been developed to maintain encryption standards in order to remain HIPAA compliant while using digital tools. 

 

How Anthem got hacked

The cause of this particular hack was due to an advanced persistent threat (APT) linked to a Chinese foreign threat actor that gained initial access in February 2014 when an employee opened a phishing email which was not internally discovered until January 2015 after the hacker had already exfiltrated a large amount of unencrypted PHI.  In this instance, a user within one of Anthem’s subsidiaries opened a phishing email with the URL: http://www.we11point.com which was a misnomer of the outdated http://www.wellpoint.com . This is a prime example of domain spoofing, a common tactic in phishing attacks.  These types of breaches are common for large organizations with significant amounts of lucrative data. The average cost of a single healthcare record on the black market is $363.  A report by cybersecurity firm Mandiant found that Anthem could take some additional steps to prevent future attacks by: 
  • Training employees to identify phishing emails
  • Deploying a robust spam filter that detects malware and suspicious emails 
  • Deploying a web filter that blocks connections to malicious content
  • Using security policies that require password expiration, renewal, and complexity such as two-factor authentication

 

What is happening now

While Anthem agreed to pay a  $16 million HIPAA fine, a further $115 million in lawsuits was also paid out to fund two years of credit monitoring for victims as well as other breach-related expenses. The most recent settlement of $40 million will be paid out to 44 states, with money allocated according to the number of individuals affected in the state.  In addition to the multi-state settlement, new provisions include the prohibition against misrepresentation about Anthem’s privacy, updated security monitoring for PHI, as well as a comprehensive security program with zero trust architecture

 

Why you should contract with a HIPAA-oriented service

If this example is not enough to make you consider going with a proven service that can secure patient data, then we don’t know what will. Anthem could have saved hundreds of millions of dollars if it had just encrypted PHI from the get-go. While Anthem has gone through a massive IT security overhaul during the last few years, this latest class action lawsuit shows that the fallout from these kinds of situations can last for years.  It’s better to prevent the breach in the first place.  By working with a HIPAA compliant email provider, you avoid the potential risks of leaked PHI that can result in severe damages and fines that might sink a smaller company without nearly as many resources as the second-largest health insurance provider in the nation.  For example, the Paubox Email Suite Plus includes two key features that can effectively mitigate email phishing risks:
  • Inbound Security: Robust spam, virus, ransomware, and phishing protection that stops threats before they reach your inbox
  • ExecProtect: Patented protection from display name spoofing attacks, preventing hackers from impersonating your CEO or other company leaders to trick employees into compromising your security
Phishing attacks are just a reality of operating in the digital world. Being involved in the healthcare industry paints an even larger target on your back due to the value of a single medical record.  Prevent data breaches and avoid fines by securing your email communications with Paubox today. 
 
Try Paubox Email Suite Plus for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Blue padlock icons with binary code and red "PHISHING" text

Insufficient risk analysis results in data breach and $400,000 settlement

Phuong Tran : April 13, 2017

Metro Community Provider Network (MCPN), a Federally Qualified Health Center (FQHC), has incurred a data breach due to an insufficient risk analysis...

HIPAA compliance Healthcare cybersecurity news
Read More
computer with red lock

Coos County Health breach exposes data of over 40,000 patients

Picture of Farah Amod Farah Amod : October 27, 2025

A ransomware attack on a New Hampshire healthcare provider has compromised sensitive data from tens of thousands of patients.

Healthcare cybersecurity news
Read More
wellnow urgent care logo

WellNow Urgent Care settles data breach lawsuit for $4.4 million

Picture of Farah Amod Farah Amod : June 2, 2025

Nearly 600,000 people were affected by a ransomware attack that compromised sensitive data across WellNow Urgent Care and its affiliates.

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.