Anthem's historic data breach: What we still don't know 2 years later

It's been more than two years since health insurer Anthem publicly announced it was the target of a cyberattack. Hackers stole the birthdays, Social Security numbers and other data for nearly 80 million people — the largest health care data breach ever — yet there are still some unanswered questions.

There's no definitive conclusion of who the hackers were, or whether Anthem faces penalties from the federal government. However, some useful information came from a recent investigation from multiple state departments of insurance.

What we know:

• Anthem executives have not addressed the cyberattack in any earnings calls since it was announced.
• Officials say there's no evidence that medical or credit card information was stolen.
• Anthem has spent at least $260.5 million related to the data breach, most of which went toward improving security and providing credit protection to people who were affected. A spokeswoman said Anthem is still taking "steps to help ensure the security of our systems."
• The two years of free credit monitoring Anthem provided are up. However, this past December, the National Association of Insurance Commissioners concluded Anthem has to pay more than $15 million for a credit freeze to the roughly 12 million affected Anthem members who were 18 years old or younger at the time of the breach.

What we don't know:

• Anthem has not disclosed the value of its cyber insurance policy, which defrays some of the costs.
• The hackers were most likely working on behalf of a foreign government. Many security experts believe it was China, but that has not been proven yet. The FBI would not comment on the pending investigation.
• It's unclear if Anthem will face a federal penalty. It's by far the largest health care data breach, and the Department of Health and Human Services has imposed fines in the past. The HHS Office for Civil Rights said it "cannot comment on open or potential investigations." Adam Greene, a former HHS official, said it usually takes three to four years before a settlement is reached, and "it's certainly not a given" that HHS will pursue a fine if it believes Anthem had safeguards in place.

• We don't know for sure that Anthem was fully protected from this type of attack, and a separate federal agency that had a contract with Anthem previously said the insurer did not have controls in place "to prevent rogue devices...from connecting to its networks."
• Class-action lawsuits are still pending, and fact-finding discovery ended in December. Anthem could escape big damages if people can't show concrete harm.