anthem data breach case study

Cyber Case Study: Anthem Data Breach

by Kelli Young | Sep 27, 2021 | Case Study , Cyber Liability Insurance

In late 2014, Anthem—a well-known health insurance company that provides coverage to more than 100 million Americans—suffered a large-scale data breach. Foreign cyber-criminals leveraged malicious email tactics to access Anthem’s computer systems and subsequently compromise millions of members’ personal information. The Anthem data breach was revealed to the public in early 2015, causing widespread alarm among Anthem’s members and costing the company hundreds of millions of dollars in recovery efforts and legal expenses.

This breach has since been dubbed one of the most devastating cyber incidents within the U.S. health care industry, contributing to a nationwide conversation about the importance of data protection. In the aftermath, organizations can learn various cybersecurity lessons by reviewing the details of this incident, its impact and Anthem’s mistakes along the way. Here’s what your organization needs to know.

The Details of the Anthem Data Breach

After infiltrating Anthem’s data warehouse, the cybercriminals began transporting records from this system. By December 10, 2014, Deep Panda had exfiltrated nearly 80 million Anthem members’ records. These records included a wide range of personal details—including names, birthdates, Social Security numbers, health care identification numbers, contact information (e.g., email and home addresses) and income data. Fortunately, members’ credit card information, medical history and claims data were not compromised.

On January 27, 2015—more than one month after the data warehouse exfiltration—Anthem discovered that the breach had taken place. Within days, the company informed the federal authorities of the incident. The following week, Anthem shared the details of the breach with the public through a written press release on February 4, 2015. Later that month, the company hired a cybersecurity firm to investigate how the breach occurred and develop measures to prevent future incidents. In the following years, the U.S. Department of Justice eventually indicted multiple Chinese hackers associated with Deep Panda for their involvement in the incident.

The Impact of the Anthem Data Breach

In addition to compromised data, Anthem faced several consequences following the large-scale breach.

Recovery costs The company incurred significant recovery expenses after the breach took place. In fact, the incident is estimated to have cost Anthem a total of nearly $260 million. Breaking down these expenses, the company first spent over $30 million in the process of notifying the public of the breach. In an attempt to support members affected by the incident, Anthem then spent $112 million to offer these individuals credit monitoring and identity theft protection. From there, the company spent an additional $2.5 million to receive assistance from expert consultants during the investigation. Lastly, Anthem spent $115 million to bolster multiple workplace cybersecurity measures and implement enhanced data protection protocols.

Reputational damages Anthem also received widespread criticism from its members, the media and security experts after the breach. Although the company possessed various cybersecurity measures and an incident response plan that helped mitigate damages upon discovering the breach, Anthem still experienced scrutiny for its lackluster data protection procedures. Namely, the company failed to encrypt the records held in its data warehouse—a vital step that could have kept members’ personal details private from Deep Panda and largely minimized the incident’s overall impact.

Legal ramifications In the years following the breach, Anthem faced numerous lawsuits from various avenues. The company first reached a $115 million class-action settlement in 2017 with individuals impacted by the incident. In 2018, Anthem then paid a record-setting $16 million settlement to the Office for Civil Rights for Health Insurance Portability and Accountability Act (HIPAA) violations stemming from the breach. Prior to this settlement, the highest HIPAA penalty recorded was less than $6 million. Most recently, Anthem paid a $39.5 million settlement in 2020 to a coalition of 44 states to resolve a variety of breach-related claims.

In total, the incident is estimated to have cost Anthem a total of nearly $260 million.

Lessons learned from the anthem data breach.

There are several cybersecurity takeaways from the Anthem data breach. Specifically, the incident emphasized these critical lessons.

Employee training is critical. Employees are often the first line of defense against cyber incidents. This point was certainly emphasized during the Anthem data breach. If Anthem’s staff had been able to recognize Deep Panda’s deceptive email tactics, this incident likely could have been prevented altogether. With this in mind, it’s vital for all employees to receive sufficient workplace cybersecurity training. Knowing how to detect and respond to potential cyberthreats—such as phishing scams—can help employees stop cybercriminals in their tracks. Specifically, employees should be educated on these security best practices:

• Avoid opening or responding to emails from unfamiliar individuals or organizations. If an email claims to be from a trusted source, verify their identity by double-checking the address.
• Never click on suspicious links or pop-ups, whether they’re in an email or on a website. Don’t download attachments or software programs from unknown sources or locations.
• Utilize unique, complicated passwords for all workplace accounts. Never share credentials or other sensitive information online.

Data protection should be a top priority. Despite having other valuable cybersecurity measures in place during the breach, Anthem left its members’ records vulnerable by neglecting to implement data protection protocols. Especially within the health care sector, leaving data unprotected can have severe consequences; since health care data often includes information (e.g., individuals’ personal details and intellectual property pertaining to medical research) that’s considered highly valuable to cybercriminals, the likelihood that such data will be targeted in a breach is increased. In fact, a stolen health care record is typically valued at approximately $250 on the black market, whereas the next highest value record (e.g., stolen credit card information) drops to just $5.40. In any case, Anthem’s data security shortcomings showcased how crucial it is to take extra steps to safeguard sensitive information so related losses during cyber incidents are prevented. Key data protection measures include:

• Encrypting all sensitive workplace data
• Restricting employees’ access to sensitive data on an as-needed basis
• Requiring employees to utilize multi- factor authentication before accessing sensitive data
• Segmenting workplace networks
• Conducting routine data backups in a secure, offline location

Effective security software is a must. Apart from employee training and data protection, a wide range of security software could have helped Anthem detect, mitigate and potentially prevent this breach. Although this software may seem like an expensive investment, it’s well worth it to avoid devastating cyber incidents. Necessary security software to consider includes network monitoring systems, antivirus programs, endpoint detection products and patch management tools. This software should be utilized on all workplace technology and updated regularly to ensure effectiveness. Also, it’s valuable to conduct routine penetration testing to determine whether this software possesses any security gaps or ongoing vulnerabilities. If such testing reveals any problems, these issues should be addressed immediately.

Proper coverage can provide much needed protection. Finally, this breach made it clear that no organization—not even a major health insurance company—is immune to cyber-related losses. That’s why it’s crucial to ensure adequate protection against potential cyber incidents securing proper coverage. Make sure your organization works with a trusted insurance professional when navigating these coverage decisions.

We are here to help.

If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our  eBook , or if you’re ready make Cyber Liability Insurance a part of your insurance portfolio,  Request a Proposal  or download and get started on our  Cyber & Data Breach Insurance Application  and we’ll get to work for you.

Recent Posts

• How to Choose an Independent Insurance Agent
• Cyber Solutions: Navigating the Cyber Insurance Claims Process
• Live Well Work Well – May 2024
• Understanding Your Insurance: What Is Personal Injury Protection Coverage?
• Cyber Solutions: Debunking 5 Common Cybersecurity Myths

• Deploying Cyber Applications on Your Security Data Lake •
• Live Webinar | Mastering Cybersecurity Leadership: Effective Strategies for Boardroom Communication •

Anti-Phishing, DMARC , Email Threat Protection , Fraud Management & Cybercrime

A New In-Depth Analysis of Anthem Breach

• Credit Eligible
• Get Permission

Seven state insurance commissioners, in a new report on their investigation into the massive cyberattack against health insurer Anthem Inc. in February 2015, offer a detailed account of what happened in the incident, which began with a phishing campaign. They conclude, as had already been widely speculated, that a nation-state was behind the attack, which affected 78.8 million individuals. But they stop short of naming the nation involved.

See Also: On Demand | 2024 Report Findings: Security & Productivity in the Age of AI

The commissioners also announced they reached a regulatory settlement agreement with the insurer that did not impose any fines but called on the company to make significant investments in security enhancements. Anthem is spending more than $260 million on those security-related measures, the report notes.

"Our examination team concluded with a significant degree of confidence that the cyberattacker was acting on behalf of a foreign government," California Insurance Commissioner Dave Jones says in a statement.

"Insurers and regulators alone cannot stop foreign government assisted cyberattacks," he says. "The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyberattacks on insurers, much as the president did in response to Russian government sponsored cyber hacking in our recent presidential election." (See Russian Election Related Hacking Details Declassified ).

The California Department of Insurance took the lead in releasing on Jan. 6 a report outlining the investigation's findings, plus a regulatory settlement agreement .

The settlement document notes that Anthem "has already incurred significant costs related to the data breach." That includes $2.5 million to engage expert consultants; $115 million for the implementation of security improvements; $31 million to provide initial notification to the public and affected individuals; and $112 million to provide credit protection to breach-impacted consumers. "The company and the lead states have also agreed upon additional security enhancements and further efforts to assist breach-affected individuals," the document notes.

Breach Investigation Findings

The insurance commissioners employed an examination team that included the cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services. The team focused its investigation on Anthem's pre-breach response preparedness, the company's response adequacy at the time of the breach and its post-breach response and corrective actions, the California Department of Insurance statement notes.

The investigation by the insurance commissioners' examination team - and a separate internal investigation by security firm Mandiant, which Anthem hired - determined the data breach began on Feb. 18, 2014, when a user within one of Anthem's subsidiaries opened a phishing email containing malicious content.

Opening the email launched the download of malicious files to the user's computer and allowed hackers to gain remote access to that computer and dozens of other systems within the Anthem enterprise, including Anthem's data warehouse, the commissioners' investigation report says.

Starting with the initial remote access, the attacker was able to move laterally across Anthem systems and escalate privileges, gaining increasingly greater ability to access information and make changes in Anthem's environment, the investigative report says.

"The attacker utilized at least 50 accounts and compromised at least 90 systems within the Anthem enterprise environment including, eventually, the company's enterprise data warehouse - a system that stores a large amount of consumer personally identifiable information," the report notes. "Queries to that data warehouse resulted in access to an exfiltration of approximately 78.8 million unique user records."

The investigation team found that Anthem had taken reasonable measures before the data breach to protect its data and employed a remediation plan resulting in a rapid and effective response to the breach once it was discovered. The team worked with Anthem to develop a plan to address its security vulnerabilities and conducted a penetration test exercise to validate the strength of Anthem's corrective measures. As a result, the team found Anthem's improvements to its cybersecurity protocols and planned improvements were reasonable, the report notes.

Nation-State Attacker

"The team determined with a high degree of confidence the identity of the attacker and concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government," the report states. "Notably, the exam team also advised that previous attacks associated with this foreign government have not resulted in personal information being transferred to non-state actors."

The report does not identify the nation-state suspected in the attack.

Herb Lin , senior research scholar for cyber policy and security at the Center for International Security and Cooperation, a think tank at Stanford University, notes, however, that China had been suspected as being involved in the attack when it was revealed in 2015. "It could have been China, it could have been Russia or another country. But China has a vibrant biotechnology [industry] where healthcare information could be competitively relevant to them," he notes.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "It's interesting that the California Department of Insurance chose not to identify China in light of earlier press reports suggesting their involvement."

Critiquing the Report

Dan Berger, CEO of security consulting firm Redspin , says he's confident in the findings of the investigation. "I have the same degree of confidence as the investigators that this attack was orchestrated by a nation-state," he says. "The sophistication of the attack evident not from the phishing email but from the ability of the malware to move laterally throughout the IT infrastructure, access critical databases, and exfiltrate date - all without detection."

As for the settlement between Anthem and the insurance commissioners, "I see this settlement as good news for Anthem," Greene says. "The states found that administrative fines or penalties were not warranted, and that Anthem's money is better spent on cybersecurity than on 'punitive or exemplary fines.' Anthem may try to use this as evidence in [ongoing class action] litigation that they acted responsibly and that punitive damages are not appropriate," he notes (see Those Suing Anthem Seek Security Audit Documents ).

Lessons Learned

Other healthcare sector organizations also can learn from the Anthem investigation report, security experts note.

"The fact that the investigation revealed that a breach of this magnitude began with a phishing email underscores the importance of comprehensive and frequent security awareness training for all employees of healthcare organizations," Berger says.

"The human 'perimeter' again and again appears to be the weakest link. This isn't easy - the attackers can send hundreds if not thousands of emails over time and it only takes one to get through."

Keith Fricke, principal consultant at tw-Security, adds: "There are no guarantees that social engineering awareness training will 100 percent prevent successful social engineering attacks, but it will help reduce the risk. Using and maintaining advanced malware protection and patching security vulnerabilities remain important as risk management measures."

Bolstering Security

In terms of the money Anthem has been spending in bolstering security in the wake of the breach, "Anthem is making a large but proportionate investment," Berger says. "I expect other healthcare organizations to take note and hopefully that will translate into increased IT security budgets sooner rather than later."

The insurance commissioner's report notes that Anthem has implemented two-factor authentication on all remote access tools, deployed a privileged account management solution and added enhanced logging resources to its security event and incident management solutions.

"Further, the company conducted a complete reset of passwords for all privileged users, suspended all remote access pending implementation of two-factor authentication and created new Network Admin IDs to replace existing IDs," the report notes. "Anthem acquired additional technology to improve its monitoring capabilities in critical databases."

The report also points out that the examination team noted "exploitable vulnerabilities in the immediate aftermath of the data breach, and that Anthem had developed a remediation plan to address those issues. It is the examination team's view that Anthem's improvements to its cybersecurity protocols and schedule of planned future improvements appeared to be reasonable efforts to secure the environment beyond the initial data breach remediation tasks."

Mac McMillan, CEO of security consulting firm CynergisTek, says Anthem appears to be taking the right critical steps to bolster its security. "The Anthem breach and investigation afterward demonstrate how important it is for organizations to clean up and tighten the access control measures and the value of two factor authentication," he notes.

• Anti-Phishing, DMARC
• Email Threat Protection
• Fraud Management & Cybercrime
• Governance & Risk Management
• Incident & Breach Response
• Managed Detection & Response (MDR)
• Multi-factor & Risk-based Authentication
• Network Detection & Response
• Next-Generation Technologies & Secure Development
• Security Operations

About the Author

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

You might also be interested in …

Global State of Identities: Optimizing Identity Proofing

From Epidemic to Opportunity: Defend Against Authorized Transfer Scams

The Future of Digital Payments

2024 Global Threat Report- Infographic

Global Threat Report 2024: Executive Summary

Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

2024 Global Threat Landscape Overview

OnDemand | Bolstering Australia’s Security Posture with Accelerated ZTNA

OnDemand | Battling Credential Compromise: How to Fight Back Against Identity Attacks

Around the network.

Enterprise Technology Management: No Asset Management Silos

Silver SAML Threat: How to Avoid Being a Victim

Why Many Healthcare Sector Entities End Up Paying Ransoms

Web Trackers Persist in Healthcare Despite Privacy Risks

The Future of Security Awareness

La gestion des risques Cyber dans le Nucléaire

Correlating Cyber Investments With Business Outcomes

The Challenges in Keeping Medical Device Software Updated

Regulating AI: 'It's Going to Be a Madhouse'

Healthcare Identity Security: What to Expect from Your Solution

Please fill out the following fields (all fields required):, subscription preferences:, operation success, risk management framework: learn from nist.

90 minutes · Premium OnDemand 

From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations' risk management capabilities. But no one is showing them how - until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 - the bible of risk assessment and management - will share his unique insights on how to:

• Understand the current cyber threats to all public and private sector organizations;
• Develop a multi-tiered risk management approach built upon governance, processes and information systems;
• Implement NIST's risk management framework, from defining risks to selecting, implementing and monitoring information security controls.

Presented By

Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)

Was added to your briefcase

Request to Republish Content

Email this Content

Just to prove you are a human, please solve the equation:

Join the ISMG Community

Register with an ismg account, already have an ismg account.

Sign in now

Need help registering? Contact support

Thank you for registering with ISMG

Complete your profile and stay up to date

Need help registering?

Contact Support

Sign in to ISMG

Sign in with your ismg account, don't have one of these accounts.

Create an ISMG account now

Forgot Your Password?

Enter your email address to reset your password, forgot your password message:.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

An official website of the United States government

Here’s how you know

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

U.S. Dept. of Health & Human Services

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

This is a HIPAA Settlement Announcement

Issued by: Office for Civil Rights (OCR)

Issue Date: July 10, 1905

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.  “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Director Severino continued, “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html .

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the [email protected] .

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.

• Giving Back
• Civil Rights & Employment
• Complex Tort Litigation
• Consumer Protection
• Employee Benefits / ERISA
• Ethics & Fiduciary Counseling
• Human Rights
• Public Client
• Securities Litigation & Investor Protection
• Whistleblower
• News & Insights

Try our advanced people search

Current Cases

Anthem Data Breach Litigation

Status Past Case

Practice area Consumer Protection

Court U.S. District Court, Northern District of California

Case number 15-MD-02617-LHK

On August 16, 2018, the Honorable Lucy H. Koh in the U.S. District Court for the Northern District of California granted final approval to a $115 million settlement – the largest data breach settlement in U.S. history – ending claims that Anthem Inc., one of the nation’s largest for-profit managed health care companies, put 78.8 million customers’ personal information, including social security numbers and health data, at risk in a 2015 data breach.

Andrew N. Friedman, Partner and Co-Chair of Cohen Milstein’s Consumer Protection practice group, is Co-Lead Plaintiffs’ Counsel in this high-profile class action lawsuit against Anthem, Inc.

Case Background

In February 2015, Anthem reported that it had incurred a massive data breach that compromised the Personally Identifiable Information (PII) and Personal Health Information (PHI), including social security numbers and health data, of 78.8 million insureds, thus constituting one of the largest data breaches ever.

On June 8, 2015 the Judicial Panel on Multidistrict Litigation transferred seventeen putative class action lawsuits to the Honorable Lucy H. Koh in the U.S. District Court for the Northern District of California for coordinated pretrial proceedings. An additional 110 cases were later transferred or related to the MDL.

The complaints alleged that Anthem failed to take adequate and reasonable measures to ensure its data systems were protected, failed to take available steps to prevent and stop the breach from ever happening, and failed to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard their personal data. Victims of the Anthem data breach – including children – face a lifetime risk of interference with their business and financial affairs.

Judge Lucy Koh appointed Cohen Milstein’s Andrew N. Friedman to lead this watershed case as one of two co-lead counsel from amongst hundreds of plaintiffs’ attorneys.

Under Mr. Friedman’s leadership, a team of attorneys aggressively pursued compensation from Anthem, its affiliates, numerous Blue Cross Blue Shield entities and the Blue Cross Blue Shield Association. Judge Koh permitted the case to go forward under a “bellwether” approach, whereby dispositive motions only went forward on 10 of the hundreds of causes of actions alleged in the consolidated complaints. From the six surviving claims (California breach of contract; New Jersey breach of contract; California UCL; an omission claim under the New York GBL; New York unjust enrichment; and third –party beneficiary claims on behalf of federal employees); the Court permitted class certification proceedings to go forward on four of the six claims. Plaintiffs chose to go forward on the California breach of contract, the California UCL, the New York GBL and the federal contract claims.

Through arguments made in several rounds of motions to dismiss, Plaintiffs were successful in convincing Judge Koh to sustain claims and damage theories (in her February 14, 2016 and May 27, 2016 Orders) that are on the cutting edge for privacy/data breach jurisprudence, including:

• the ability to pursue “benefit of the bargain” damages. Ultimately, plaintiffs argued in the class motion that these damages could be based on the difference between the objectively determined market value of the health insurance as promised/represented (with data security) and as actually delivered (with inadequate data security) for contract and consumer protection act claims;
• the ability to pursue damages for loss of value of PII. At the class certification stage, Plaintiffs argued that the value of PII could be measured by the “market” price of that data and/or the cost to class members to protect that PII from being fraudulently used.

Unlike most data breach cases, this case made it all the way through discovery, including the depositions of, and Daubert motions related to, experts.

Mr. Friedman’s team took or defended over 200 depositions and reviewed 3.8 million pages of defendants’ documents.

Ultimately, Mr. Friedman and his co-counsel mediated an historic $115 million settlement, preliminarily approved on August 25, 2017 – the largest settlement ever in a consumer data breach litigation. This record-breaking settlement, if approved, will provide: a minimum of two years of first-rate credit monitoring or alternative cash compensation; payment of out-of-pocket losses related to the breach; fraud resolution services (even if the class member does not submit a claim form); and significant data security practice changes and commitments by Anthem for three years.

For more information about the Anthem Data Breach Litigation, including information about the settlement and important case documents, please see the following website : https://www.databreach-settlement.com/

• Lead Counsel Order - September 11, 2015
• Order Granting Motion for Preliminary Approval - August 25, 2017
• Order - Final Approval of Settlement - August 15, 2018
• Eric A. Kafka
• Andrew N. Friedman
• Geoffrey Graber

• Book a Speaker

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

Lessons Learned from Anthem Data Breach

Experts say HR should be vigilant about protecting HR data, especially at rest

It’s being called the largest data-breach disclosure by a health care company ever.

As many as 80 million customers and the company’s employees have had their employment data, addresses, Social Security numbers, and birth dates stolen. According to news reports, the parent company of Blue Cross Blue Shield of Georgia, Anthem Inc., has already been sued over the breach.

What’s more, thieves are now trying to scam the victims further via e-mail and by telephone, claiming to be Anthem and asking victims to provide additional information either over the phone or by clicking on bogus links in e-mails.

Following the revelation Feb. 5, 2015, of the massive data breach at Anthem, the country’s second-largest health insurer, security experts contacted by the Society for Human Resource Management (SHRM) say this breach should prompt HR professionals tasked with securing personal health information to seek tougher security measures—especially for data at rest.

Reached via e-mail Monday, Feb. 9, 2015, Anthem’s Public Relations Director Gene Rodriguez told SHRM Online that “Anthem’s database was accessed after logon information for database administrators had been compromised. Because an administrator’s credentials were compromised, additional encryption would not have thwarted the attack.” Rodriguez added that the company’s communications department “has worked very closely with Anthem HR to effectively inform its own associates of the cyberattack and subsequent scam e-mails. Not only did Anthem issue a press release to inform those impacted of potential scams that have popped up, but Anthem sent internal communications warning of the phishing e-mails,” Rodriquez said.

In a news release about the breach, the insurer said that the hackers “gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/Social Security numbers, street addresses, e-mail addresses and employment information, including income data.

“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” the release stated. The company is also working with a cybersecurity firm “to evaluate our systems and identify solutions based on the evolving landscape.”

Diligence Required by HR over Breaches

Several security experts reached by SHRM Online Monday said that while breaches of this nature are increasing and may be unavoidable, the extent of the Anthem breach was unnecessary given the many ways technology can be deployed to lessen a breach’s impact. The Anthem breach may have been the work of Chinese hackers and may have actually began in April 2014.

“This is a wake-up call for companies who need to stop relying solely on what the information security industry refers to as ‘knowledge-based authentication’: things people know—and can be stolen—such as their password,” said Ryan Wilk, director, customer success, NuData Security, a software development company. “The majority of the Internet relies on only an e-mail and password in order for a user to login to one of their online accounts for banking or shopping.”

That has to stop, experts say.

In addition to two-factor or two-step authentication —which uses a separate rotating set of numbers from a security key supplied by an app or another device, “most secure firms have begun to additionally use ‘behavioral biometrics’ to protect their users from fraud,” Wilk said. “Behavioral biometrics understands users’ unique behaviors, allowing companies to distinguish between the real user and an imposter. Companies using this stop thousands of fraud attempts each month that previously were undiscovered,” Wilk said.

“The fact that Anthem didn’t encrypt their data at rest and only in transit is concerning in and of itself,” said Malte Pollmann, CEO of Utimaco , which makes hardware-based security solutions. “But the critical element of this breach and any other breach is that any data, both encrypted and not, will at certain points in any normal data processing be visible and accessible. The one critical element to contain the impact of a breach lies in the manner with which the key to the encrypted data is stored and managed,” Pollmann said.

Critics say the health care industry has been slow in keeping such personal information secure but that has to change—especially for an industry that keeps such vulnerable information and because HR departments are tasked by law to keep such information safe.

Industry Slow to Protect Data

“The health care industry is notoriously slow in embracing innovation in security,” said Asaf Cidon, CEO of cloud security company Sookasa, in an interview with SHRM. “Reliance on outmoded systems and inconveniencing employees—who are bound to find workarounds despite what IT recommends—is putting data at risk,” he said. “What’s more, it strikes me that health care providers are so focused on checking the box for HIPAA [Health Insurance Portability and Accountability Act of 1996] compliance that they aren’t concerned enough about real, robust security—after all, there is a difference between compliance and security.

“And as the FBI noted in a warning last year, health care companies are increasingly going to be targets for hackers. Rather than accept this inevitability, it’s time that they implement real defenses,” Cidon said.

From biometrics and two-factor authentication to secure military radio frequency (RF) wireless technologies, there are myriad ways to protect data at rest, experts say.

“HR departments and HR IT professionals need to recognize that the Internet is under siege with criminals and nation-states working to access … data,” Robert Twitchell, an expert on Department of Defense cyber warfare, told SHRM Online.

“To counter these threats and ensure that breaches like this don’t occur again, HR needs to recognize the value of the data it holds and the reasons why it’s valuable to the attacker. They then need to protect … data-at-rest and data-in-motion. They should consider examining and deploying techniques traditionally used to secure military RF communications: techniques that augment encryption capabilities and add variability to the process to raise the difficulties and costs associated with collecting such data. Make it expensive enough and difficult enough and the hacker will find a different target,” Twitchell said.

Additional Steps

There are several additional steps HRIT professionals can undertake to “minimize the

chances of a breach like what happened at Anthem,” said Joseph Steinberg, an information security expert who has worked on data security for more than 100 hospitals. Steinberg is CEO of Green Armor Solutions .

Those steps include:

• Encrypting all sensitive data on all computers and mobile devices. “If you are not sure if something is sensitive, it probably is,” he said. “Criminals know how to utilize information to commit identity theft or steal a business’s customers. All sensitive data not in use should remain encrypted. For example, he said, there is encryption built into the pro versions of Windows—it’s just a matter of turning it on.
• Giving people access to only the data that they need to do their jobs. “Such a policy means that in many cases if someone’s account is breached, only a limited subset of data will leak.”
• Using Internet security software on computers and mobile devices. Otherwise, “there is a lot of sensitive information that can be stolen pretty easily,” Steinberg said, adding that tech security companies Symantec and Lookout provide security packages for smartphones and tablets.
• When using social media, make sure not to post anything that will leak sensitive information about your company. “Tools like www.SecureMySocial.com can warn you if you (or any of your employees) post something that you should not. This can have other HR benefits as well,” Steinberg said.
• Being skeptical. “If anyone ever calls you from your bank, a supplier, a partner firm, etc., to speak about your account, do not speak with them,” he said. Anthem advised its customers and employees that it would contact them about the cyberattack via mail delivered by the U.S. Postal Service with specific information on how to enroll in credit monitoring. Affected individuals will also receive free credit monitoring and identification protection services, the company stated.
• Having a security audit conducted by a professional. “These need not be very expensive, especially for smaller businesses with limited numbers of computers, and the findings can be invaluable in preventing breaches,” Steinberg said. “If you would not use a surgeon or lawyer with just a few years of experience, you should not risk your organization on security amateurs. Experience counts.”

Anthem has set up a website, www.anthemfacts.com , to address concerns.

Aliah D. Wright is an online editor/manager for SHRM.

Related Content

A 4-Day Workweek? AI-Fueled Efficiencies Could Make It Happen

The proliferation of artificial intelligence in the workplace, and the ensuing expected increase in productivity and efficiency, could help usher in the four-day workweek, some experts predict.

How One Company Uses Digital Tools to Boost Employee Well-Being

Learn how Marsh McLennan successfully boosts staff well-being with digital tools, improving productivity and work satisfaction for more than 20,000 employees.

Advertisement

Artificial Intelligence in the Workplace

​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.

HR Daily Newsletter

New, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.

Success title

Success caption

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

How does a breach like Anthem happen?

It's not as difficult as you'd think.

Remove all the hype, all the sensationalism, and Anthem’s security dilemma is no different from one that any other large organization would face. Was this attack truly sophisticated, or could anyone have pulled it off?

On December 10, 2014, someone compromised a database owned by Anthem Inc., the nation’s second largest health insurer.

The compromise wasn’t discovered until January 27, 2015, after a database administrator discovered his credentials being used to run a questionable query – a query he didn’t initiate. Two days later (January 29), Anthem alerted federal authorities and HITRIUST C3 that their internal investigation determined the incident was in fact a data breach. On February 4, 2015, the company disclosed the breach to the public.

“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members,” Anthem President and CEO, Joseph R. Swedish, said in a statement .

Those responsible for the attack were able to obtain “personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” the statement added.

The scope of the breach isn’t fully understood, but there’s a good chance that a majority of the 80 million records contained in the compromised database were exposed. According to company metrics, one in nine Americans have medical coverage through one of Anthem’s affiliated plans.

Anthem, based on data posted to LinkedIn and job listings , uses TeraData for data warehousing, which is a robust platform that’s able to work with a number of enterprise applications.

This technical detail also provides an idea on the level of security Anthem had available, as TeraData has a number of solid security controls available to customers, such as user-level security controls, role-based support, directory integration, traffic encryption, in addition to auditing and monitoring.

In the aftermath of the breach at Anthem, experts have speculated on whether the data in the database was encrypted at the time the attackers compromised it.

The problem is, while HIPAA requires that identifying information be encrypted, that protection goes by the wayside once an attacker compromises an administrator’s credentials. So even if the data was encrypted , it didn’t matter once the attacker(s) had total control over the database.

As for the attack itself, was it truly sophisticated or will the investigation reveal an attack that’s similar to the ones that target organizations the world over day-after-day?

The Associated Press, looking to confirm information first posted by Salted Hash , got Anthem on the record to confirm that not only did the incident start last December, but the company also confirmed that five tech employees had their credentials compromised. It wasn’t clear if this number included the employee who raised the alarm after noticing his credentials being abused, but the count is still significant.

Easier is better. So while the attackers could have used Java, Windows, or Adobe vulnerabilities, the fastest way to obtain credentials is to ask for them, which is exactly what Phishing does in most cases.

Between Google, LinkedIn, Facebook, and various posts across the Web, it wouldn’t take long to develop an email scheme that would eventually lead someone within Anthem’s technology group to reveal their credentials.

But the difference between a passive attack that uses Phishing and what happened at Anthem is persistence.

Based on Anthem’s defenses, it’s possible that they attacker(s) tried to compromise the database earlier in 2014, but were thwarted. However, they kept at it and eventually succeeded. Generic attacks play the numbers game, hoping to get victims on volume. Focused attacks have a small number of targets, and keep taking shots until they get a hit.

While it’s possible that legacy systems are in use on the network, or perhaps Anthem was behind on patches or other maintenance, it doesn’t matter once the credentials have been compromised.

“It will be interesting to discover of what exactly the DBA’s credentials consisted. If they were simply a username and a password, shame on Anthem. Even President Obama has figured out that systems containing PII need two-factor authentication, and said so in his Presidential cybersecurity directive,” said John Zurawski, Vice President at Authentify.

In that case, two-factor authentication might have prevented, or at least made an attack such as the one at Anthem difficult, he said. But what if the attack was sophisticated enough to capture and maintain a valid authenticated session token in real-time, even with two-factor authentication in place?

“This type of session hijacking attack is post-login – once you login, the network maintains a session token that indicates the user in this active session was authenticated. Malware on your computer or in your browser – the advanced persistent threat or APT – captures that session token and is able to maintain and use it. It’s a validated session, so even your two-factor authentication is beaten,” Zurawski explained.

Again, technical controls will only go so far. Once the humans are exploited, those controls are next to useless. Behavioral controls and monitoring can help flag a compromised human element, but it isn’t an exact science. For example, technology didn’t detect the Anthem breach, a human who was paying attention did. Self-awareness among the staff is a serious bonus to any information security program.

In truth, implementing a solution that’s robust enough to offer scaled access, monitoring, and identity controls is hard. The technology exists, but putting it to work isn’t as simple as installing a box and pushing a configuration file.

So why target Anthem? If Anthem were a bank, the quote attributed to Willie Sutton would be a perfect fit. Allegedly, when asked why he robed banks, Sutton said “because that’s where the money is…”

Thus, Anthem was targeted because the attacker(s) wanted information, and Anthem has millions of records at their disposal; they went where the data was. Perhaps there’s more to it than that, but if not, the fact the data was there is all the reason the attacker(s) needed.

“Healthcare providers [and insurers] hold verified personal information that can tell thieves almost anything they need to know about a person, including where they live, their phone number and email addresses and also their social security details. All of this data, in the wrong hands, can be sold on for profit, used to conduct Medicare fraud or indeed complete identity theft,” said Trent Telford, the CEO of Covata, in a recent statement.

The Anthem breach, based on the information they’ve disclosed to the public, doesn’t look to be as sophisticated as advertised. The root cause was most likely Phishing, which would render many of their technical controls useless once the attacker(s) had root-level access to the network and database.

Often, Phishing doesn’t require the use of zero-day vulnerabilities or known exploits – all that’s required is a person who’s willing to do exactly as they’re told.

So who was it that attacked Anthem? At this stage, it doesn’t matter. All that matters is fixing the network and getting back to business as soon as possible.

When it comes to data breaches, there is so much focus on “who” that the “how” isn’t completely addressed, resulting in repeat attacks. Anthem took steps to address “how” and said that passwords were changed immediately, and the data warehouse was secured. It’s a start, but there’s a long way to go.

Attribution is often wrong during a breach investigation, and speculation only makes the incident being addressed worse. Soon after Anthem announced the breach, several media outlets reported that China was to blame. The source of those claims were anonymous people familiar with the investigation – allegedly they worked with FireEye (Mandiant).

FireEye denied these claims as soon as possible, but by the time their statement hit the media, the rumors had spread. Many of those reporting the claims have yet retract them and update their stories.

“I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place,” security expert Scot Terban wrote, in a recent blog on the question of attribution .

“The problems with many corporations stem from a lack of security awareness as well as presence within the org to instill secure practices like patch management and employee awareness on what a phish looks like and how to detect them.”

Related content

Gwinnett medical center investigating possible data breach, facebook: 30 million accounts impacted by security flaw (updated), scammers pose as cnn's wolf blitzer, target security professionals, congress pushes mitre to fix cve program, suggests regular reviews and stable funding, from our editors straight to your inbox.

Prior to joining the journalism world in 2005, Steve Ragan spent 15 years as a freelance IT contractor focused on infrastructure management and security. He's a father of two and rounded geek with a strong technical background.

More from this author

What are phishing kits web components of phishing attacks explained, most popular authors.

• Microsoft Security

Show me more

Download the hybrid cloud data protection enterprise buyer’s guide.

Global stability issues alter cyber threat landscape, ESET reports

The inside story of Cyber Command’s creation

CSO Executive Sessions: The personality of cybersecurity leaders

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Anthem to pay record $115 mln to settle U.S. lawsuits over data breach

• Medium Text

Sign up here.

Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab

Legal Chevron

Boeing shareholders vote to keep departing CEO on planemaker's board

Boeing’s departing CEO Dave Calhoun was re-elected to stay on the troubled company's board on Friday, even as the planemaker said it was preparing to meet with the U.S. aviation regulator over its quality-control problems.

Governance & Risk Management , Incident & Breach Response , Legislation & Litigation

Analysis: Impact of Anthem Breach Case Ruling

• Credit Eligible
• Get Permission

A federal court's recent rejection of a motion filed by health insurer Anthem Inc. in its attempt to fight a class-action lawsuit in the wake of its massive data breach is important because it upholds the privacy rights of breach victims, says attorney Steven Teppler.

Attorneys for Anthem had asked the court for permission to scrutinize plaintiffs' computers for security flaws that could potentially lead to identity theft or fraud - a move Teppler, who has represented plaintiffs in other breach cases, portrays as an "intimidation tactic."

Anthem in early 2015 revealed that a hacker attack exposed the data of nearly 80 million current and former health plan members. About 100 lawsuits against the company were consolidated into one federal class-action case in California. The health insurer's attorneys filed a motion in that case seeking permission to access some plaintiffs' computers, smartphones and tablets to image and copy them to determine whether another data breach or embedded malware was responsible for the individuals' potential harm, including identity theft and tax fraud.

Blame the Victim?

Commenting on Anthem's strategy, Teppler says in an interview with Information Security Media Group: "One of the arguments ... that the defense might make is that there are so many data breaches out there, 'you don't know which data breach caused your damage. And so, you can't point a finger at 'Company A' because 'Company B' also had a data breach, and you were a customer of both.'"

But Teppler says that argument isn't likely to stand up in courts - as the ruling in the Anthem case shows. "I think computer ... and cybersecurity forensics can easily resolve those issues. It's something that we see being thrown up as obstacles [by defense teams] toward plaintiffs in class-action matters."

Ultimately, the decision by the judge in the Anthem breach case "is very important because it impinges on privacy issues," he says. "The idea of having an image of a computer taken to discover whether or not at one point there might have been ... a security vulnerability that led to a compromise of the plaintiffs' computers is an intimidation tactic," he says. "All computers have vulnerabilities."

In the interview, Teppler also discusses:

• The potential damages that individuals' whose information have been compromised in large data breaches face;
• Why class-action lawsuits will likely be filed against some healthcare organizations that recently have been targeted by ransomware attacks;
• Other data breach lawsuit trends.

Teppler is a partner at the Abbott Law Group, P.A. in Jacksonville, Fla., and leads the firm's electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach-related class action lawsuit against health plan AvMed , that ended in a $3 million settlement in 2013. Teppler is also an adjunct professor at Nova Southeastern University Law School.

• Fraud Management & Cybercrime
• Governance & Risk Management
• Incident & Breach Response
• Legislation & Litigation
• Managed Detection & Response (MDR)
• Network Detection & Response
• Security Operations
• Standards, Regulations & Compliance

You might also be interested in …

Hunting Money Mules with a 360-Degree View of Identities

The Future of Digital Payments

Global State of Identities: Optimizing Identity Proofing

A Matrix on Behavioral Biometrics and Device Fingerprinting

From Epidemic to Opportunity: Defend Against Authorized Transfer Scams

2024 Global Threat Report- Infographic

Global Threat Report 2024: Executive Summary

2024 Global Threat Landscape Overview

Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Around the network.

Enterprise Technology Management: No Asset Management Silos

Silver SAML Threat: How to Avoid Being a Victim

Why Many Healthcare Sector Entities End Up Paying Ransoms

Web Trackers Persist in Healthcare Despite Privacy Risks

The Future of Security Awareness

La gestion des risques Cyber dans le Nucléaire

Correlating Cyber Investments With Business Outcomes

The Challenges in Keeping Medical Device Software Updated

Regulating AI: 'It's Going to Be a Madhouse'

Healthcare Identity Security: What to Expect from Your Solution

Please fill out the following fields (all fields required):, subscription preferences:.

Was added to your briefcase

Request to Republish Content

Email this Content

Just to prove you are a human, please solve the equation:

Join the ISMG Community

Register with an ismg account, already have an ismg account.

Sign in now

Need help registering? Contact support

Thank you for registering with ISMG

Complete your profile and stay up to date

Need help registering?

Contact Support

Sign in to ISMG

Sign in with your ismg account, don't have one of these accounts.

Create an ISMG account now

Forgot Your Password?

Enter your email address to reset your password, forgot your password message:.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

Analysis: Impact of Anthem Breach Case Ruling

• Breaches and Incidents
• April Sa, yyyy
• Information Security Media Group

Schools Put on High Alert for Jboss Ransomware Exploit

Malware and Vulnerabilities

White House Source Code Policy a Big Win for Open Gover ...

Laws, Policy, Regulations

Get in touch with us now!

Trending News

Related Practices & Jurisdictions

• Communications, Media & Internet
• Health Law & Managed Care
• All Federal

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. 

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in an OCR press release. This settlement is nearly three times the previous high of $5.55 million that Advocate Health paid in 2016 for a breach affecting more than 4 million patients.

According to OCR’s allegations, Anthem failed to conduct a system-wide risk analysis, had insufficient procedures to review system activity, failed to identify and respond to security incidents and failed to implement adequate minimum access controls to prevent access to electronic protected health information (ePHI).

Given the size of the breach, the record-setting settlement amount is not surprising. Notably, a failure to perform a comprehensive risk analysis continues to result in large settlement amounts with OCR after a breach. (See our previous blog posts:  $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each  and  OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity ).

Accordingly, HIPAA covered entities must perform a system-wide risk analysis that complies with the HIPAA Security Rule as well as perform periodic updates as necessary. That risk analysis, along with evidence of measures implemented to address vulnerabilities identified in the risk analysis, will be the first thing OCR requests in an investigation involving a breach of ePHI.

Current Legal Analysis

More from murtha cullina, upcoming legal education events.

Sign Up for e-NewsBulletins