Anthem, Inc. (operating as Elevance Health) experienced a significant data breach disclosed on November 19, 2025, exposing highly sensitive personally identifiable information (PII) of individuals. The breach compromised names, addresses, dates of birth, Social Security numbers, medical records, and driver’s license numbers—data prime for identity theft, fraud, or financial exploitation. In Massachusetts alone, 1,162 individuals were affected, with broader impact across other states still under investigation. The exposed medical records heighten risks of targeted scams, unauthorized access to healthcare services, or blackmail. Victims face potential long-term consequences, including financial loss, credit damage, and emotional distress. Anthem offered identity theft protection services, but the scale and sensitivity of the leaked data underscore severe reputational harm and regulatory scrutiny. Legal firms are pursuing class-action lawsuits for compensation, citing negligence in safeguarding consumer data.

In 2015, Anthem Inc., a major U.S. health insurer and a hypothetical client under Elliot Golding’s cybersecurity advisory, suffered one of the largest healthcare data breaches in history. Cybercriminals executed a sophisticated phishing attack, compromising credentials of multiple employees to infiltrate Anthem’s IT systems. Over 78.8 million records were exposed, including names, birthdates, Social Security numbers, healthcare IDs, home addresses, email addresses, and employment details—both of current and former employees and customers.The breach was discovered after an internal database administrator noticed unauthorized queries extracting massive datasets. Forensic investigations revealed the attackers had exfiltrated data undetected for weeks, exploiting gaps in multi-factor authentication and segmentation controls. While no medical records or credit card numbers were stolen, the sheer volume of personally identifiable information (PII) and protected health information (PHI) triggered regulatory scrutiny under HIPAA and state breach laws.Anthem faced class-action lawsuits, federal investigations by OCR (Office for Civil Rights), and state AG enforcement actions—aligning with Elliot Golding’s expertise in defending clients under such circumstances. The breach eroded customer trust, led to fraudulent activity spikes (e.g., tax refund fraud using stolen SSNs), and cost Anthem $115 million in settlements, including a record $16M HIPAA fine. The incident underscored vulnerabilities in third-party vendor access and legacy system protections, areas Golding’s practice actively addresses.

On October 27, 2021, the U.S. Department of Health and Human Services reported that Anthem, Inc. experienced a data breach due to theft, affecting 5,505 individuals. The breach involved the theft of an external back-up device and claims folder containing protected health information (PHI), including names, addresses, dates of birth, Social Security numbers, and claims information.

The California Office of the Attorney General disclosed a data breach at Anthem, Inc., stemming from a physical break-in at a third-party vendor’s office on August 3, 2021. The incident was reported on October 28, 2021, exposing personal information, including names and healthcare identifiers of an undisclosed number of individuals. While the breach originated from a physical intrusion rather than a direct cyber attack on Anthem’s systems, the compromised data belonged to individuals associated with the company, indicating a leak of sensitive personal and healthcare-related information. The delay in detection and reporting (nearly three months) raises concerns about vendor security protocols and the potential for misuse of stolen identifiers, such as medical identity theft or fraud. Although the full scope of the exposure remains unclear, the involvement of healthcare data—a high-value target for cybercriminals—elevates the risk of downstream financial or reputational harm for affected individuals and the organization. The breach underscores vulnerabilities in third-party risk management, particularly when physical security lapses intersect with data protection obligations under regulations like HIPAA (Health Insurance Portability and Accountability Act).

On October 15, 2021, Anthem, Inc. suffered a data breach stemming from a ransomware attack on its third-party vendor, PracticeMax. The incident involved unauthorized access to the network between April 17, 2021, and May 5, 2021, leading to the potential compromise of sensitive patient data. The exposed information included names, dates of birth, addresses, phone numbers, Anthem member IDs, and clinical records related to kidney care services. The breach posed significant risks to patient privacy, financial security, and healthcare continuity, as the leaked data could facilitate identity theft, targeted phishing, or fraudulent medical claims. While the attack was contained, the exposure of protected health information (PHI)—especially clinical data—heightened concerns over compliance violations (e.g., HIPAA) and long-term reputational damage. The incident underscored vulnerabilities in third-party vendor security and the cascading impact of ransomware on healthcare ecosystems.

On December 31, 2021, the California Office of the Attorney General reported that Anthem, Inc. experienced a data breach involving OneDigital that may have affected personal information, including social security numbers and health records. The unauthorized access occurred in January 2021, and the breach potentially involved the personal information of an unknown number of individuals.

The Iowa Attorney General's Office reported that Anthem, Inc. experienced a data breach related to a widely-reported cyber attack on July 6, 2015. The breach potentially impacted personal information of 22,999 Iowa residents among others, but the specific method of the breach is not detailed.

The California Office of the Attorney General reported that Anthem, Inc. experienced a cyber-attack resulting in unauthorized access to personal information on January 27, 2015. The reporting date for this breach was April 27, 2015. The specific methods of breach and number of individuals affected are unknown.

On February 13, 2015, the California Office of the Attorney General reported a data breach involving Anthem, Inc. The breach was discovered on January 29, 2015, and unauthorized access to personal information, including names, Social Security numbers, and health care ID numbers, potentially affected current and former members of Anthem's health plans. The number of individuals impacted is unknown.