Anthem 2015: $260M+, the breach that reset HIPAA penalty norms.

The intrusion began on 18 April 2014 with a spear-phishing email sent to a small number of Anthem employees. At least one employee clicked the link, triggering download of a backdoor that gave the attacker initial access to the Anthem network. The attacker remained in the environment for nine months, escalating privileges, mapping the data warehouse, and ultimately exfiltrating member-data records from late January 2015 through early February 2015 before Anthem detection.

The exfiltrated data included names, dates of birth, SSNs, home addresses, employment data, email addresses, and income data for 78.8 million current and former members of Anthem and its affiliated Blue Cross plans. Critically, the data was stored in a way that was technically permissible under HIPAA but did not include addressable encryption at rest. The OCR investigation centered on this technical failure to apply encryption to the relevant data warehouse, in addition to identity-management deficiencies that allowed the privilege escalation.

The FBI attributed the attack to Chinese intelligence-affiliated actors in May 2017. The DOJ subsequently indicted Fujie Wang (alias "Dennis Wang") and a second individual in May 2019 for the Anthem intrusion. Neither has been arrested.

Cost figures partially overlap. The class-action settlement included credit-monitoring extension that Anthem was also funding separately. The $260M figure reflects the cumulative cash outflow disclosed in SEC filings rather than the strict sum of headline settlement figures.

The $16M OCR HIPAA settlement announced 15 October 2018 was the largest HIPAA penalty in history at the time, nearly triple the previous record. The OCR investigation found Anthem in violation of HIPAA in four specific areas: failure to conduct enterprise-wide risk analysis, failure to implement sufficient procedures to regularly review information system activity, failure to identify and respond to suspected or known security incidents, and failure to implement adequate minimum access controls to prevent unauthorized access.

Beyond the monetary penalty, the settlement required Anthem to implement a corrective action plan including completion of risk analysis and risk management plan, revision of policies and procedures for information-system activity review, implementation of procedures for security incident response, and revision of access-control policies. The corrective action plan ran for two years with quarterly reporting to OCR.

The Anthem settlement reset the upper bound of OCR enforcement. Prior to October 2018 the largest HIPAA penalty was Advocate Health Care Network's $5.55M in August 2016. Anthem nearly tripled that. The Premera $6.85M settlement in September 2020 and subsequent multimillion-dollar OCR resolutions all sit on the trajectory Anthem established.

The consolidated class-action in the Northern District of California, In re Anthem Inc. Data Breach Litigation, settled for $115M in August 2017 and received final approval in August 2018. The settlement structure provided $15M for two years of credit monitoring for all class members (administered by AllClear ID), out-of-pocket cost reimbursement up to $10,000 per class member for documented losses, alternative compensation of up to $50 per class member who did not enrol in credit monitoring, and approximately $38M in attorney fees.

The settlement was challenged on multiple grounds including objections from a small number of class members arguing the per-class-member compensation was inadequate. The Ninth Circuit affirmed final approval in 2019 in a decision that has since been cited extensively in subsequent healthcare-breach class-action settlements. The per-class-member effective value of approximately $1.50 (excluding the credit-monitoring component) for the $115M settlement against the 78.8 million class size has become a benchmark cited by both plaintiff and defendant counsel in subsequent matters.

The two policy lessons from Anthem that the healthcare sector internalised were encryption at rest and continuous monitoring. Anthem's decision to leave the data warehouse unencrypted was technically permissible under HIPAA because encryption is "addressable" rather than "required" in the Security Rule, but the OCR investigation made clear that the addressable standard required documented analysis of why encryption was not implemented and what alternative safeguard was used. Anthem could not produce that documentation. The post-Anthem industry standard moved decisively toward encryption-at-rest as the default with documented exception process.

The nine-month dwell time was the second teaching moment. Continuous monitoring of unusual data-access patterns is the control that should have caught the privilege escalation and the unusual queries against the member-data warehouse. The post-Anthem investment surge in healthcare SIEM and UEBA (user and entity behaviour analytics) tools was driven directly by this lesson. By 2020, IBM's sector survey showed continuous monitoring coverage at major healthcare insurers had risen from below 40% in 2014 to above 90%.