Connecticut Attorney General William Tong and his New York counterpart Letitia James have announced their states will receive $3.8 million and $2.7 million, respectively, as part of a $39.5 million multi-state settlement with Anthem related to the company’s 2014 data breach.
Anthem was the target of cyberattacks beginning in February 2014 that compromised the personal data of 78.8 million Americans, including information such as names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, employment information and income data. An investigation would determine the breach was achieved by using malware installed through a phishing email.
However, the health insurer did not publicly disclose the data breach until February 2015, acknowledging that the brands and plans impacted by the breach included Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink and DeCare.
Under the terms of the settlement, Anthem agreed to new requirements designed to strengthen its cybersecurity practices, including third-party security assessments and audits for three years, along with new security requirements that specifically focus on segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training.
The settlement also called for a “prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information” and regular security reporting to its CEO and board of directors.
“This settlement sends a strong message that state attorneys general will fight to protect consumer privacy and data security,” said Tong, adding that nearly half of Connecticut’s residents were affected by the breach.
“New Yorkers have every reasonable expectation that their private health information will remain private and protected by their doctors and especially by their health insurance companies,” said James. “This agreement signals that Anthem is committed to protecting consumers’ private information.”