Anthem, the health insurance company behind Blue Cross-Blue Shield, has agreed to pay nearly $40 million in another settlement over a 2015 cyberattack that compromised the personal information belonging to nearly 79 million people, officials said.
The insurer will pay $39.5 million to settle an investigation by a group of state attorneys general, it announced Wednesday. Anthem said it was the last open investigation into the attack on its technology.
The company also agreed nearly two years ago with the U.S. Department of Health and Human Services to pay $16 million to settle possible privacy violations.
Anthem discovered the data breach in early 2015 after hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.
The Indianapolis-based insurer said Wednesday it did not believe it violated the law in connection with its data security, and it was not admitting to that with its latest settlement.
Two China-based hackers were indicted last year in connection with the attack.
“The attack against Anthem in 2015 was just one example of a growing list of companies victimized by these sophisticated state-sponsored crimes,” the company said Wednesday. “The company is grateful for the support and partnership of the FBI and extended law enforcement teams investigating this attack and to the Department of Justice for their efforts to bring the criminal attack group to justice when two members of that group were indicted in 2019.”
Anthem provides health insurance coverage to more than 42 million people in several states, including key markets like California and New York.
Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.
The attack exposed information that included names, birthdates, Social Security numbers and medical IDs. The company said it has found no indication that the compromised information has led to any incidents of fraud.
The Associated Press contributed to this report.