Anthem will pay a $39.5 million settlement to a group of state attorneys general following an investigation into a 2015 cyberattack, according to a Wednesday announcement.
Anthem said it was a victim of a “sophisticated state sponsored criminal attack group,” and said it does not believe it violated data security laws and is not admitting any violations in the settlement. Anthem said no evidence has been found indicating the hack resulted in fraud.
The payer said it has resolved the matter and the investigation is officially closed. It previously shelled out other payments regarding the same attack for impacted patients and HIPAA violations.
The settlement ends a long-standing investigation into the payer following a series of targeted cyber attacks that exposed the electronic protected health information (ePHI) of almost 79 million people.
Compromised data included names, Social Security numbers, medical identification numbers, addresses, birth dates, email addresses and employment information, according to an earlier investigation from HHS Office for Civil Rights.
Anthem settled with OCR in 2018, paying $16 million for HIPAA violations. It also agreed to a $115 million settlement to pay for four years of credit monitoring and all other claims, costs and fees for affected individuals.
OCR’s investigation concluded the payer failed to employ basic security measures to protect patient information, such as conducting regular enterprisewide risk analysis or regularly reviewing information system activity.
However, in each of the settlements, Anthem has denied any wrongdoing on its part.
It rests the blame on a China-based group that a federal grand jury indicted last year for the Anthem hack and three other attacks involving large businesses. At the time, the FBI said Anthem’s urgency in notifying the government of the hack and its cooperation helped identify the people responsible for the breaches.
Although the initial hack occurred almost five years ago, cybersecurity remains a key issue in healthcare as the industry continues to rapidly adopt new systems to virtually manage records and care.
On Monday, one of the largest for-profit hospital chains in the U.S., Universal Health Services, shut down its IT networks following reports of a massive ransomware attack.
Hospitals may be more motivated than other organizations to quickly pay hackers to get their IT systems up again in those kinds of attacks, given patient health and the security of sensitive data is on the line. UHS said it had “no evidence” patient or employee data was accessed or misused, though the extent of the breach is still being determined.
The National Institute of Standards and Technology has a framework businesses can use to manage and protect themselves against cyber attacks, though a recent report from consulting firm CynergisTek found healthcare organizations lacking.
Overall, only 44% of healthcare institutions met NIST standards in 2019 — down from 45% in 2017 and 47% in 2018.