A group of 43 attorneys general across the United States announced Wednesday that a $39.5 million settlement has been reached with Anthem stemming from their massive 2014 data breach that involved the personal information of 78.8 million Americans.
Through the settlement, Anthem has reached a resolution with the coalition of attorneys general. In addition to the payment, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward. Nevada’s share of the settlement is $397,306.77, according to Attorney General Aaron Ford’s office.
In February 2015, Anthem disclosed that its network was compromised in February 2014, using malware installed through a phishing email. The attackers were able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers and employment information for 78.8 million Americans. In Nevada, 764,039 known residents were affected by the breach.
“We welcome the services that Anthem provides to Nevada customers, but the company also must respect their rights as a consumer,” Ford said. “It is imperative that companies act in the best interest of their consumers, which includes protecting their personal and health-related information.”
Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward, including a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information; implementation of a comprehensive information security program, including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO; specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing and employee training, among other requirements; and third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.
In the immediate wake of the breach, at the request of the investigating states, including Nevada, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.
Other states that participated in this settlement include Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Maryland, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia and Wisconsin.