Health insurer Anthem to pay $16-million settlement after big 2015 data breach

Anthem and federal officials have agreed to settle potential violations of privacy requirements stemming from a cyberattack discovered in 2015.
(Michael Conroy / Associated Press)

Anthem Inc., the nation’s second-largest health insurer, has agreed to pay a record $16 million to the government to settle potential privacy violations in the biggest known healthcare hack in U.S. history, federal officials said Monday.

The personal information of nearly 79 million people — including names, birth dates, Social Security numbers and medical IDs — was exposed in the cyberattack, which Anthem discovered in early 2015.

The settlement between the Indianapolis company and the Department of Health and Human Services represents the largest amount collected by the agency in a healthcare data breach, officials said.


“When you have large breaches, it erodes people’s confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment,” said Roger Severino, director of the department’s Office for Civil Rights. The office also enforces the federal healthcare privacy law known as HIPAA, or Health Insurance Portability and Accountability Act.

Severino said the size of the Anthem settlement sends a message to the industry that “hackers are out there always, and large healthcare entities in particular are targets.”

Anthem also agreed to take corrective steps under government monitoring, which include assessing its electronic security risks, taking appropriate countermeasures and maintaining surveillance.

The Blue Cross Blue Shield insurer covers more than 40 million people and sells individual and employer coverage in key markets such as California and New York.

The $16-million payment is in lieu of civil penalties that the Department of Health and Human Services may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

Anthem said Monday that it is not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all potentially affected customers.


“Anthem takes the security of its data and the personal information of consumers very seriously,” it said in a statement. “We have cooperated with [the government] throughout their review and have now reached a mutually acceptable resolution.”

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.


5:02 p.m.: This article was updated with additional details.

This article was originally published at 3 p.m.