The Employer’s Fraud Task force meeting this week in Commerce focused on the problems with patient identity theft, a massive and growing health care fraud problem. The speaker – Mike McKee, Senior Special Agent of National Insurance Crime Bureau (NICB) – presented many case examples, including the now infamous breach perpetrated upon Anthem.

So what ever happened to the perpetrators of the Anthem breach?

According to a report by Axios, it’s been more than two years since health insurer Anthem publicly announced it was the target of a cyberattack. Hackers stole the birthdays, Social Security numbers and other data for nearly 80 million people – the largest health care data breach ever – yet there are still some unanswered questions.

There’s no definitive conclusion of who the hackers were, or whether Anthem faces penalties from the federal government. However, some useful information came from a recent investigation from multiple state departments of insurance.

What we know:

1) Anthem executives have not addressed the cyberattack in any earnings calls since it was announced.
2) Officials say there’s no evidence that medical or credit card information was stolen.
3) Anthem has spent at least $260.5 million related to the data breach, most of which went toward improving security and providing credit protection to people who were affected. A spokeswoman said Anthem is still taking “steps to help ensure the security of our systems.”
4) The two years of free credit monitoring Anthem provided are up. However, this past December, the National Association of Insurance Commissioners concluded Anthem has to pay more than $15 million for a credit freeze to the roughly 12 million affected Anthem members who were 18 years old or younger at the time of the breach.

What we don’t know:

1) Anthem has not disclosed the value of its cyber insurance policy, which defrays some of the costs.
2) The hackers were most likely working on behalf of a foreign government. Many security experts believe it was China, but that has not been proven yet. The FBI would not comment on the pending investigation.
3) It’s unclear if Anthem will face a federal penalty. It’s by far the largest health care data breach, and the Department of Health and Human Services has imposed fines in the past. The HHS Office for Civil Rights said it “cannot comment on open or potential investigations.” Adam Greene, a former HHS official, said it usually takes three to four years before a settlement is reached, and “it’s certainly not a given” that HHS will pursue a fine if it believes Anthem had safeguards in place.
4) We don’t know for sure that Anthem was fully protected from this type of attack, and a separate federal agency that had a contract with Anthem previously said the insurer did not have controls in place “to prevent rogue devices…from connecting to its networks.”
5) Class-action lawsuits are still pending, and fact-finding discovery ended in December. Anthem could escape big damages if people can’t show concrete harm.

Mike McKee made a compelling argument about the use of stolen identities for purposes of billing in California Workers’ Compensation claims.  Perpetrators have ready access to lists of patient information – for a price – from sellers on the dark web. Patient identities are readily bought and sold as a lucrative commodity.