In late 2014, Anthem—a well-known health insurance company that provides coverage to more than 100 million Americans—suffered a large-scale data breach. Foreign cyber-criminals leveraged malicious email tactics to access Anthem’s computer systems and subsequently compromise millions of members’ personal information. The Anthem data breach was revealed to the public in early 2015, causing widespread alarm among Anthem’s members and costing the company hundreds of millions of dollars in recovery efforts and legal expenses.
This breach has since been dubbed one of the most devastating cyber incidents within the U.S. health care industry, contributing to a nationwide conversation about the importance of data protection. In the aftermath, organizations can learn various cybersecurity lessons by reviewing the details of this incident, its impact and Anthem’s mistakes along the way. Here’s what your organization needs to know.
The Details of the Anthem Data Breach
On February 18, 2014, the Chinese cybercriminal group Deep Panda utilized a phishing scam to trick an Anthem employee into opening an email containing malicious content. Once the email was opened, the cybercriminals deployed a malware program on the employee’s computer. Through this program, Deep Panda moved laterally within Anthem’s networks, eventually gaining access to more than 50 employee accounts and 90 different systems. Among these systems was the company’s data warehouse, which held the records of millions of Anthem members.
After infiltrating Anthem’s data warehouse, the cybercriminals began transporting records from this system. By December 10, 2014, Deep Panda had exfiltrated nearly 80 million Anthem members’ records. These records included a wide range of personal details—including names, birthdates, Social Security numbers, health care identification numbers, contact information (e.g., email and home addresses) and income data. Fortunately, members’ credit card information, medical history and claims data were not compromised.
On January 27, 2015—more than one month after the data warehouse exfiltration—Anthem discovered that the breach had taken place. Within days, the company informed the federal authorities of the incident. The following week, Anthem shared the details of the breach with the public through a written press release on February 4, 2015. Later that month, the company hired a cybersecurity firm to investigate how the breach occurred and develop measures to prevent future incidents. In the following years, the U.S. Department of Justice eventually indicted multiple Chinese hackers associated with Deep Panda for their involvement in the incident.
The Impact of the Anthem Data Breach
In addition to compromised data, Anthem faced several consequences following the large-scale breach.
The company incurred significant recovery expenses after the breach took place. In fact, the incident is estimated to have cost Anthem a total of nearly $260 million. Breaking down these expenses, the company first spent over $30 million in the process of notifying the public of the breach. In an attempt to support members affected by the incident, Anthem then spent $112 million to offer these individuals credit monitoring and identity theft protection. From there, the company spent an additional $2.5 million to receive assistance from expert consultants during the investigation. Lastly, Anthem spent $115 million to bolster multiple workplace cybersecurity measures and implement enhanced data protection protocols.
Anthem also received widespread criticism from its members, the media and security experts after the breach. Although the company possessed various cybersecurity measures and an incident response plan that helped mitigate damages upon discovering the breach, Anthem still experienced scrutiny for its lackluster data protection procedures. Namely, the company failed to encrypt the records held in its data warehouse—a vital step that could have kept members’ personal details private from Deep Panda and largely minimized the incident’s overall impact.
In the years following the breach, Anthem faced numerous lawsuits from various avenues. The company first reached a $115 million class-action settlement in 2017 with individuals impacted by the incident. In 2018, Anthem then paid a record-setting $16 million settlement to the Office for Civil Rights for Health Insurance Portability and Accountability Act (HIPAA) violations stemming from the breach. Prior to this settlement, the highest HIPAA penalty recorded was less than $6 million. Most recently, Anthem paid a $39.5 million settlement in 2020 to a coalition of 44 states to resolve a variety of breach-related claims.
In total, the incident is estimated to have cost Anthem a total of nearly $260 million.
Lessons Learned from the Anthem Data Breach
There are several cybersecurity takeaways from the Anthem data breach. Specifically, the incident emphasized these critical lessons.
Employee training is critical.
Employees are often the first line of defense against cyber incidents. This point was certainly emphasized during the Anthem data breach. If Anthem’s staff had been able to recognize Deep Panda’s deceptive email tactics, this incident likely could have been prevented altogether. With this in mind, it’s vital for all employees to receive sufficient workplace cybersecurity training. Knowing how to detect and respond to potential cyberthreats—such as phishing scams—can help employees stop cybercriminals in their tracks. Specifically, employees should be educated on these security best practices:
- Avoid opening or responding to emails from unfamiliar individuals or organizations. If an email claims to be from a trusted source, verify their identity by double-checking the address.
- Never click on suspicious links or pop-ups, whether they’re in an email or on a website. Don’t download attachments or software programs from unknown sources or locations.
- Utilize unique, complicated passwords for all workplace accounts. Never share credentials or other sensitive information online.
Data protection should be a top priority.
Despite having other valuable cybersecurity measures in place during the breach, Anthem left its members’ records vulnerable by neglecting to implement data protection protocols. Especially within the health care sector, leaving data unprotected can have severe consequences; since health care data often includes information (e.g., individuals’ personal details and intellectual property pertaining to medical research) that’s considered highly valuable to cybercriminals, the likelihood that such data will be targeted in a breach is increased. In fact, a stolen health care record is typically valued at approximately $250 on the black market, whereas the next highest value record (e.g., stolen credit card information) drops to just $5.40. In any case, Anthem’s data security shortcomings showcased how crucial it is to take extra steps to safeguard sensitive information so related losses during cyber incidents are prevented. Key data protection measures include:
- Encrypting all sensitive workplace data
- Restricting employees’ access to sensitive data on an as-needed basis
- Requiring employees to utilize multi- factor authentication before accessing sensitive data
- Segmenting workplace networks
- Conducting routine data backups in a secure, offline location
Effective security software is a must.
Apart from employee training and data protection, a wide range of security software could have helped Anthem detect, mitigate and potentially prevent this breach. Although this software may seem like an expensive investment, it’s well worth it to avoid devastating cyber incidents. Necessary security software to consider includes network monitoring systems, antivirus programs, endpoint detection products and patch management tools. This software should be utilized on all workplace technology and updated regularly to ensure effectiveness. Also, it’s valuable to conduct routine penetration testing to determine whether this software possesses any security gaps or ongoing vulnerabilities. If such testing reveals any problems, these issues should be addressed immediately.
Proper coverage can provide much needed protection.
Finally, this breach made it clear that no organization—not even a major health insurance company—is immune to cyber-related losses. That’s why it’s crucial to ensure adequate protection against potential cyber incidents securing proper coverage. Make sure your organization works with a trusted insurance professional when navigating these coverage decisions.
For more risk management guidance and insurance solutions, contact us today.