Anthem settles 2015 data breach for $16 million

Anthem, the country’s second largest insurance provider, agreed to pay the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) $16 million after a data breach in 2015 that affected nearly 79 million members and employees. Prior to the Anthem settlement, OCR’s biggest fine in connection with a data breach cost Florida-based Memorial Health System $5.5 million after a breach in 2017 that affected 115,000 people.

  • In 2015, hackers broke into Anthem’s network to steal personal identifying information such as names, dates of birth, Social Security numbers and home addresses
  • A multi-state investigation discovered the attack originated from a user at an Anthem subsidiary opening a phishing email containing malicious content. This allowed the hackers—which some reports suggest worked on behalf of a foreign government, potentially China—remote access to the computer and Anthem’s data warehouse
  • Anthem has since paid $260 million in security improvements. Despite the size of the fine and the scope of the breach, Anthem’s membership increased to 40.2 million in 2017, up four percent from its membership rate in 2015

According to the OCR, the frequency of data breaches among healthcare organizations is only increasing, with 277 breaches occurring within the first nine months of 2018. To best avoid data breaches, the OCR recommends healthcare systems and insurers conduct frequent risk assessments to determine and address their cyber vulnerabilities.

To view a list of other large data breaches in the past three years, please click here.


For more information on this topic, or to learn how Baker Tilly healthcare specialists can help, contact our team.

Let us be your source for monthly updates on the ever-evolving healthcare industry. From legislative changes to policy updates, we’ve got you covered.