A massive data breach emerged at the end of 2014 at Anthem, a well-known health insurance provider serving over 100 million Americans. Foreign cybercriminals gained access to Anthem’s computer systems by using fraudulent email, that allowed them to breach the personal data of millions of members.
Early in 2015, the public learned of the Anthem data hack, which sent shockwaves through the company’s membership and cost it hundreds of millions of dollars in litigation fees and recovery costs. Since then, the U.S. health care sector has referred to this breach as one of the most catastrophic cyber disasters, that has sparked a national dialogue on the significance of data protection.
$115 Million Settlement in Massive Anthem Breach Case
Just to resolve a class-action lawsuit resulting from a 2015 data breach that compromised the personal data of about 80 million members and workers, Anthem will pay a record $115 million. In addition to providing two years of credit protection and paying $15 million in out-of-pocket expenses for those impacted, the firm committed to allocate funds for cybersecurity enhancements.
The payment surpasses Anthem’s $100 million insurance coverage against cyberattacks at the time of the hack and is among the greatest amounts ever for a data breach settlement. Since the payer faced harsh criticism for both its handling of the breach and its level of preparation or lack thereof it is probably glad to put an end to the affair.
Background of this Breach
The first breach happened in February 2015 when an employee clicked on a phishing email, according to a report from the California Department of Insurance. Most likely, a foreign government was responsible for the breach. The audit also stated that Anthem responded in a “quick and effective” manner and had implemented appropriate safeguards for its data. Despite aware of cybersecurity flaws discovered during a 2013 audit, Anthem was nonetheless compromised by a simple password breach and neglected to encrypt sensitive information.
It was also punished for not informing anyone affected for a few weeks. It is common for months to go by before a corporation known of a breach, and it is unlikely that the breach can be successful without suffering a significant financial setback. The US healthcare sector loses $6.2 billion annually as a result of health data breaches.
Details of the Anthem Data Breach
An Anthem employee was tricked into opening a malicious email on February 18, 2014, by the Chinese cybercriminal outfit Deep Panda, using a phishing scheme. Upon opening the email, the crooks infected the employee’s PC with malware. With the use of this malware, Deep Panda was able to navigate between Anthem’s networks and finally obtain access to over 50 employee accounts and ninety distinct systems. The data warehouse of the organization, which included the information of millions of Anthem subscribers, was one of these systems.
Following their breach of Anthem’s data warehouse, the hacker started transferring data from this system. Private data, such as names, birthdates, Social Security numbers, health care identifying numbers, contact details (such as email addresses and home locations), and salary information, were contained in these reports. Thankfully, the credit card details, medical records, and claims information of the members were not exposed.
Anthem found out about the intrusion on January 27, 2015, which was nearly a month after the data warehouse exfiltration. The event was reported to federal authorities by the corporation in a matter of days. The public was informed of the breach’s data by Anthem the next week on February 4, 2015, via a printed news statement. Later on in the month, the business engaged a cybersecurity consultancy to look into the breach’s cause and create plans to stop similar ones in the future. Several Chinese hackers connected to Deep Panda were ultimately charged by the US Department of Justice for their roles in the incident in the years that followed.
Anthem’s solution
Anthem implemented a number of security-enhancing and incident-prevention measures in reaction to the highly skilled hack. They engaged a cybersecurity company to look into the assault and create countermeasures, notified the relevant federal authorities of the breach, and emailed alerts to impacted consumers.
Along with implementing an extensive corrective action plan in accordance with HIPAA regulations, Anthem also consented to pay a record $16 million HIPAA settlement. A thorough enterprise-wide risk analysis, routine reviews of information system activity, detection and handling of suspected or confirmed security issues, and the implementation of suitable minimum access limits were all part of this approach.
Anthem Data Breach- Impact
Huge Recovery costs
Following the breach, the organization had to pay large recovery costs. In reality, Anthem’s overall anticipated losses from the event are close to $260 million. When analyzing these costs, the company found that the process of alerting the public about the breach cost them more than $30 million. Anthem subsequently invested $112 million to provide these members with identity theft protection and credit monitoring in an effort to assist those impacted by the tragedy. From there, the organization paid an extra $2.5 million to have professional advisors help with the inquiry.
Downfall of goodwill
Following the incident, Anthem was heavily criticized by its members, the media, and security experts. Anthem came under fire for its shady data protection practices even though the business has a number of cybersecurity safeguards and an incident response strategy in place that helped limit losses when the breach was discovered. The organization specifically neglected to encrypt the records stored in its data warehouse, a crucial action that might have prevented Deep Panda from learning about member’s sensitive information and significantly reduced the incident’s total effect.
Security Improvements
Along with the monetary fund, Anthem will also have to ensure that information security would receive a specific amount of funding and implement or maintain a number of specific changes to its data security systems, such as encrypting specific data and archiving sensitive data under strict access controls. The settlement aims to establish optimal cybersecurity procedures to prevent such data breaches, compensate class members, and shield them from future risk.
Jaxon Elias is a writer, poet, and finance expert. He graduated from the Craig School of Business in 2014 and later completed the “Leading with Finance” course from Harvard University Online. Additionally, he has worked as a freelancer for various media houses