Anthem settles class action suit triggered by 2015 hack attack

The biggest players in the health care field aren't immune to data breaches, as a report from HR and Employment News - one of Part B News' sibling publications - shows:

The breach affected approximately 79 million people and was cited in an August 2016 GAO report HHS needs to strengthen security and privacy guidance and oversight:

In January 2015, Anthem, Inc. learned of a large-scale cyberattack on its IT systems. According to Anthem, the cyber-attackers obtained PII for approximately 79 million individuals with Anthem accounts and individuals who receive health care services in any of the areas that Anthem serves, including names, dates of birth, Social Security numbers, health care ID numbers, home addresses, e-mail addresses, and employment information such as income data. Anthem reported that, after discovering the attack, it contacted the FBI, began working to close the security vulnerability, and contracted with a cybersecurity firm to assist in the investigation and to strengthen the security of its systems. Anthem also set up a website with information specific to the incident and arranged to have identity protection services provided to compromised individuals at no cost for 2 years.

According to HR and Employment News,

The settlement fund includes $17 million to provide the affected individuals with 2 years of credit monitoring and identity restoration services. Those who have already signed up for such services can apply for reimbursement payments. Another $15 million will be set aside to pay for out-of-pocket costs that are “fairly traceable” to the breach, such as preventative measures or unreimbursed losses from misuse of the data. The settlement also includes “business practice commitments” regarding Anthem’s data security practices. This will include archiving databases with strict access controls and monitoring requirements, strengthening various data security controls, encrypting certain information, and guaranteeing a specified level of funding for Anthem’s information security, according to Girard Gibbs, one of the plaintiffs’ law firms.

A look at the HHS Office of Civil Rights' breach report -- sometimes known as the Wall of Shame -- shows that this isn't Anthem's only brush with unintended health information leaks. More than 3,500 people were affected by an unauthorized access/disclosure breach, according to an Oct. 26, 2016 report.