More on Compliance & Legal

Anthem settles 2015 cybersecurity breach for $39.5 million

This is the last open investigation related to the 2015 cyberattack that breached the PHI of close to 79 million people.

Susan Morse, Managing Editor

Anthem has reached a $39.5 million settlement with the group of state attorneys general investigating the company's cyberattack that occurred in 2015.

Anthem said it was the victim of a sophisticated state-sponsored criminal attack group. It cooperated with the state attorneys general throughout their investigation and agreed to pay a $39.5 million settlement in connection with their investigation.

The company said it does not believe it violated the law in connection with its data security and is not admitting to any such violations in the settlement.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

As part of the settlement, Anthem has undertaken commitments on protecting information. Anthem said it continues to invest in a secure framework, security software and hardware, and security monitoring. It is in relationships with external cybersecurity experts and is active in the Health Information Trust Alliance (HITRUST).


This is the last open investigation related to the 2015 cyberattack and the settlement now resolves the matter.

In 2018, Anthem agreed to pay $16 million to the Department of Health and Human Services Office for Civil Rights to settle HIPAA violations after the series of cyberattacks exposed the protected health information of close to 79 million people. It was called the largest health data breach in the country.  

Following the investigations, no evidence was found that information obtained through the cyberattack resulted in fraud, Anthem said.


At the time of the incident, Anthem said its first priority was to ensure that its systems were secure and immediately engaged the FBI and a world-class security organization.

Anthem was among a growing list of companies victimized by these sophisticated state-sponsored crimes. 

The cyberattacker against Anthem was acting on behalf of a foreign government, according to the California Department of Insurance.

The Department of Justice indicted two members of the criminal attack group in 2019.

Twitter: @SusanJMorse
Email the writer: