BALTIMORE, MD—Maryland Attorney General Brian E. Frosh on Wednesday announced a multi-state settlement with health insurance provider Anthem, Inc. stemming from its massive 2014 data breach that involved the personal information of 78.8 million Americans. Through the $39.5 million settlement, Anthem has agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. In Maryland, 672,102 residents were affected by the breach.
“Anthem’s data breach left millions of Americans vulnerable to identity theft and the misuse of their personal information. Healthcare companies maintain vast quantities of consumer personal information and must implement appropriate measures to prevent intrusions and detect hackers; unfortunately, Anthem failed to do so,” said Attorney General Frosh. “The significant data security measures required by this settlement will help protect the personal information of Marylanders and other consumers throughout the country.”
Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. Those include:
- A prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
- Implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
- Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
- Third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.
In the immediate wake of the breach, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.
In addition to Attorney General Frosh, the settlement was joined by the attorneys general of Alaska, Arizona, Arkansas, Connecticut, Colorado, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Missouri, Mississippi, Nebraska, New Hampshire, New Jersey, New York, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin. At the same time, the Attorney General of California entered into a parallel settlement.