Anthem settles with state AGs in cyber attack

October 1, 2020

The settlement relates to a 2015 cyber attack that impacted 78.8 million customers.

Health insurance giant Anthem has settled with State Attorneys General from across the country in connection to a 2015 cyber attack on the company.

According to a news release, the company agreed to pay $39.5 million in settlement in connection to the multistate investigation. As part of the settlement, Anthem does not admit any violation of law connected to the attack from what the company called a “sophisticated state-sponsored criminal attack group.”

In a separate release, New York Attorney General Letitia James says that the breach, which occurred in 2014 but wasn’t disclosed by Anthem until February 2015, compromised the personal information of 78.8 million of Anthem’s customers across the country. The attackers were able to harvest names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information.

The James release says that Anthem will also be required to implement the following:

Prohibiting the misrepresentation of the extent to which Anthem protects the privacy and security of consumers’ personal information;

Implementing a comprehensive information security program that incorporates principles of zero trust architecture and includes regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;

Setting up specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and

Scheduling third-party security assessments and audits for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.

Anthem also previously entered into a class action settlement establishing a $115 million settlement fund to pay for additional credit monitoring, cash payments up to $50 per individual breached, and reimbursement for out-of-pocket losses for affected customers, the James release says.

No evidence was found that information obtained in the leak resulted in fraud, Anthem says.