Anthem to pay $39.5 million to states in latest settlement over 2015 hack

The company previously agreed to pay $115 million in connection with the incident.
Anthem breach settlement
(Matthew Hurst / Flickr)

Anthem has agreed to pay $39.5 million in penalties and fees resulting from a sweeping 2015 cyberattack on the health insurer as part of a multi-state settlement, the company announced Wednesday.

It’s the latest fallout from a major data breach that exposed data on some 79 million people, and which U.S. authorities have blamed on a Chinese hacker.

The settlement, based on an investigation by attorneys general in over 40 states, requires Anthem to implement a security program that includes penetration-testing, and logging and monitoring of networks. It also bars Anthem from misrepresenting how the company protects its customers’ privacy and security, according to the New York attorney general’s office.

“The company is pleased to have resolved this matter, which is the last open investigation related to the 2015 cyberattack,” Indianapolis-based Anthem said in a statement, adding that it has an “ongoing and consistent focus on protecting information.”


The repercussions of the Anthem hack are an example of how big companies in various sectors, ranging from Capital One to Fiserv, are being forced to defend their information security practices in litigation.

The incident at Anthem, one of the largest U.S. health insurers, began in February 2014, with a phishing email to one of Anthem’s subsidiaries. Anthem did not discover the intrusion until months later, and announced it in February 2015.

The impact was dramatic. The hackers stole sensitive personal data, including Social Security numbers, and prompted a record $16 million settlement with the U.S. government over potential Health Insurance Portability and Accountability Act violations. A separate $115 million settlement in 2017 forced Anthem to pay credit monitoring and reimbursement fees to customers.

Anthem found no evidence of fraud stemming from the hack, the company reiterated on Wednesday.

A 2019 indictment of an accused Chinese hacker for the Anthem breach did not point the finger directly at Beijing. But U.S. government officials have cited that breach, along with other major hacks at the Office of Personnel Management and credit-monitoring firm Equifax, as potential intelligence bonanzas for the Chinese government. Beijing has denied having a role in the hacks.


In its statement, Anthem referred to the cyberattack as a “state-sponsored crime.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts