Anthem has agreed to a $39.5 million settlement with 43 attorneys general over its massive 2014 data breach that involved the personal information of 78.8 million Americans.
In addition to the payment, Anthem, one of the largest health insurance companies in the United States, has also agreed to data security and management provisions designed to strengthen its practices.
Anthem provides health insurance coverage to more than 42 million people in several states, including California and New York.
In February 2015, Anthem disclosed that its network was compromised in February 2014 by malware installed through a phishing email.
The attackers were able to gain access to Anthem’s data warehouse, where they stole the names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for millions of Americans.
“We welcome the services that Anthem provides to Nevada customers, but the company also must respect their rights as a consumer,” said Nevada Attorney General Aaron D. Ford.
It’s imperative that companies act in the best interest of their consumers, which includes protecting their personal and health-related information, Ford said.
Under the settlement, Anthem has agreed to strengthen its security practices, including:
- A prohibition against misrepresenting the extent to which Anthem protects the privacy and security of personal information.
- An information security program, including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO.
- Specific security requirements for logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training.
Third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that time.
Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50 per individual breached, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have passed.
The company also agreed to a settlement with the U.S. Department of Health and Human Services about two years ago to pay $16 million for possible privacy violations.
In addition to Nevada, other states that participated in this settlement include: Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Maryland, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.
The attorney general of California entered into a similar, but separate agreement.