Anthem (Elevance) Security Issues since 2015

Summary:  This is a living article that tracks security breaches, data privacy incidents, and regulatory enforcement actions involving Anthem (Elevance) from 2015 to the present. Each documented incident includes details about who was involved, what occurred, the scope of impact, financial penalties, and how the matter was resolved. As new breaches or enforcement actions emerge, this article will be continuously updated to reflect the most current information for compliance professionals, payers, and healthcare leaders.

2015 Anthem Data Breach – “Mega Breach” of 78 Million Records

Who:  Anthem, Inc.; state Attorneys General; U.S. Dept. of Health & Human Services (HHS) Office for Civil Rights (OCR); class action plaintiffs; (hackers ultimately attributed to a foreign state actor).

What: In February 2015, Anthem (then the nation’s second-largest insurer) disclosed a massive cyberattack. Hackers had infiltrated Anthem’s IT systems (as early as Feb 2014) via a phishing email and accessed a database containing nearly 78.8 million individuals’ personal information. Exposed data included names, birthdates, Social Security numbers, member IDs, addresses, emails, employment, and income data—highly sensitive personal/health information. It was one of the most significant healthcare breaches in U.S. history.

Class Action Lawsuits:  Dozens of suits were consolidated. In 2017, Anthem agreed to a then-record $115 million settlement. Finalized in August 2018, it provided 2 years of credit monitoring, up to $50 in cash payments, and coverage of fraud losses.

HIPAA Enforcement:  In October 2018, HHS OCR imposed a $16 million fine for HIPAA violations—then the largest ever. Investigators cited deficient access controls, outdated software, and unencrypted sensitive data.

State Attorneys General: In September 2020, 43 AGs reached a $39.5 million multistate settlement. Separately, California secured an $8.69 million agreement. Anthem agreed to robust reforms—encryption, user access controls, auditing, and “zero trust” protocols.

When:  Breach discovered Jan 2015, announced Feb 4, 2015; settlements in 2017–2020; DOJ indictments in May 2019.

Impact:  Affected ~78.8 million people, marking the most significant U.S. health data breach. Regulators noted no widespread fraud by 2020.

Financial Implications: Estimated $179 million in settlements and fines ($115M + $16M + $39.5M + $8.69M), excluding legal and remediation costs.

Status:  Resolved. By 2020, significant regulatory actions were completed. Anthem implemented the required cybersecurity upgrades.

Sources:  California DOJ, New York AG, HHS OCR, Healthcare Finance News

Subsequent Breaches and Data Privacy Incidents

Who: Various Anthem/Elevance affiliates and vendors; class action plaintiffs.

What:  After 2015, Anthem largely avoided similarly large-scale breaches but experienced several notable incidents:

Credential-Stuffing Attack (2017):  Around 18,500 Medicare members were affected when a vendor system was accessed. No major misuse or regulatory action followed.

Vendor File Transfer Breach (2023):  A cyberattack on contractor WebTPA/NationsBenefits (related to the GoAnywhere MFT vulnerability) exposed member data—including names, contacts, and health benefit details. Class actions followed.

WebTPA Class Action Settlement (2025):  In September 2025, a $13.75 million settlement resolved legal claims. Affected consumers received fraud protection and reimbursement funds. Elevance mandated stronger vendor security.

Ongoing Privacy Scrutiny: In 2022, HHS flagged Anthem for potential mobile app data privacy issues. No enforcement has been announced.

When:  Minor breach in 2017; GoAnywhere vendor breach in Jan/Feb 2023; class settlement in Sept 2025.

Financial Implications: The $13.75M WebTPA settlement (shared with co-defendants) likely covered by insurance. Ongoing privacy efforts add to compliance costs.

Status:  Resolved/Improved. Elevance systems were not directly compromised in 2023, but the company continues strengthening its cybersecurity and third-party oversight.

Sources:  ClassAction.org, JD Supra, Fierce Healthcare

Ongoing Summary

At PCG Software, we specialize in fraud, waste, and abuse (FWA) monitoring—and that includes tracking security lapses that put protected health information (PHI) at risk. We will continue to update this article with any new Anthem/Elevance cybersecurity incidents, litigation, or enforcement actions to help healthcare organizations stay informed, compliant, and protected. Subscribe to our blog for the latest updates.