For Immediate Release:
Wednesday, September 30, 2020
Laura Brewer (919) 716-6484
(RALEIGH) Attorney General Josh Stein today announced a $39.5 million multistate settlement with Anthem resulting from the 2014 data breach that compromised the personal information of 78.8 million Americans, including 775,606 North Carolinians. North Carolina will receive $401,172.38. In addition to the payment, Anthem has also agreed to take steps to strengthen its data security and good governance.
“As a health insurance company, Anthem had access to its customers’ sensitive and private information,” said Attorney General Josh Stein. “It didn’t do nearly enough to protect that data, and, as a result, more than 700,000 North Carolinians were put at risk. Companies that store information and data about people have a responsibility to make sure that information is secure. I’m pleased that Anthem will be held accountable and will take steps moving forward to ensure these data breaches don’t happen again.”
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014 using malware installed through a phishing email. The attackers gained access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.
Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. These provisions include:
- Not misrepresenting the extent to which Anthem protects the privacy and security of personal information.
- Implementing a comprehensive information security program.
- Putting in place specific security requirements related to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training.
- Conducting third-party security assessments and audits and making its internal risk assessments available to a third-party assessor for three years.
In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund for affected customers – the deadline to submit claims for that fund has passed.
Attorney General Josh Stein is joined in this settlement by the Attorneys General of Illinois, Indiana, Kentucky, Massachusetts, Missouri, and New York, and joined by the Attorneys General of Alaska, Arizona, Arkansas, Colorado, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Nevada, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.
A copy of the settlement is available here.