INDIANAPOLIS (AP) — Health insurer Anthem has agreed to another multimillion-dollar settlement over a cyberattack on its technology that exposed the personal information of nearly 79 million people.
The Blue Cross-Blue Shield insurer said Wednesday that it will pay $39.5 million to settle an investigation by a group of state attorneys general. Anthem said it was the last open investigation into the attack.
The company also agreed nearly two years ago with the U.S. Department of Health and Human Services to pay $16 million to settle possible privacy violations.
Indianapolis-based Anthem Inc. provides health insurance coverage to more than 42 million people in several states, including key markets like California and New York.
The company discovered the data breach in early 2015 after hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.
Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.
The attack exposed information that included names, birthdates, Social Security numbers and medical IDs.
Last year, a federal grand jury indicted two members of a hacking group operating from China in the attack.
Anthem said Wednesday that it was the victim of a “sophisticated state sponsored criminal attack group” in the attack. The insurer said it did not believe it violated the law in connection with its data security, and it was not admitting to that with its latest settlement.
The insurer also said that it has found no evidence that information obtained in the attack led to fraud.
Shares of Anthem climbed nearly 3% to $267.21 in morning trading, while broader indexes rose around 1%.
Follow Tom Murphy on Twitter: @thpmurphy