Home » Anthem settles multistate data security breach for $39.5M

Anthem settles multistate data security breach for $39.5M

FRANKFORT, Ky. — Attorney General Daniel Cameron announced Wednesday a $39.5 million multistate settlement with Anthem Inc. for a data security breach, which compromised the personal information of 78.8 million Americans.

Anthem Inc. agreed to pay $39.5 million to 43 states and the District of Columbia. Kentucky will receive $1,929,942.02. In addition to the payment, Anthem has also agreed to a series of data security and adequate governance provisions designed to strengthen its practices going forward. Cameron’s Division of Consumer Protection served on the executive committee of the multistate team and was a leader in the investigation.

“To protect the interests of Kentucky consumers, our office investigated whether Anthem had violated Kentucky’s Consumer Protection Act and federal HIPAA laws designed to protect sensitive patient health information,” said Cameron. “This settlement delivers nearly $2 million to Kentucky and requires Anthem to adequately secure confidential health and personal records in accordance with state and federal laws.”

In February 2015, Anthem disclosed that cyber attackers used malware, installed through a phishing email, to infiltrate its data systems beginning in February 2014. The attackers gained access to Anthem’s data warehouse and harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. The personal information of 2,305,612 Kentuckians was compromised by the data breach.

Under the terms of the settlement, Anthem is required to:

  • Cease making statements regarding the extent to which Anthem protects the privacy and security of personal information.
  • Implement a comprehensive information security program, including principles of zero trust architecture, regular security reporting to the Board of Directors, and prompt notice of significant security events to the CEO.
  • Execute specific security requirements concerning segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements.
  • Procure third-party security assessments and audits for three (3) years. During that time, Anthem is also required to make its risk assessments available to a third-party assessor.

In the immediate wake of the breach, at the request of the Connecticut Office of the Attorney General, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.

In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.

Cameron was joined in the settlement by the attorneys general of Alaska, Arizona, Arkansas, California, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Mississippi, Nebraska, New Hampshire, New Jersey, New York, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.

To read the terms of the settlement, click here.