Connecticut Leads $39.5 Million Multistate Settlement Over 2014 Anthem Data Breach
Connecticut to Receive $3.8 Million(Hartford, CT) – Attorney General William Tong today announced that Connecticut has obtained a $39.5 million multistate settlement with Anthem stemming from the massive 2014 data breach that involved the personal information of 78.8 million Americans. Through the settlement, Anthem has reached a resolution with a 43-state coalition and California. Connecticut will receive $3.8 million from the settlement. In addition to the payment, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they collected names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. In Connecticut, 1.7 million residents were affected by the breach.
“Connecticut led the multistate investigation into Anthem’s 2014 data breach, culminating today in a $39.5 million multistate settlement. Nearly half of all of Connecticut residents were impacted by this massive breach, involving some of our most personal information, including Social Security numbers, phone numbers, healthcare identification numbers, addresses, and more,” said Attorney General Tong. “This settlement sends a strong message that state attorneys general will fight to protect consumer privacy and data security.”
Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. Those include:
• a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
• implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
• specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
• third-party security assessments and audits for three (3) years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.
In the immediate wake of the breach, at the request of the Connecticut Office of the Attorney General, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals at a significant cost to the company.
In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.
The Connecticut Office of the Attorney General led the multistate investigation, assisted by the Attorneys General of Illinois, Indiana, Kentucky, Massachusetts, Missouri, and New York, and joined by the Attorneys General of Alaska, Arizona, Arkansas, Colorado, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.
The Connecticut Office of the Attorney General was among the first across the country to form a dedicated Privacy and Data Security Department. The protection of consumer privacy and data security continues to be a top priority of the Office. Recently, Connecticut co-led the multistate investigation into the 2017 Equifax data breach that culminated in a $600 million settlement with the company last year — the largest data breach settlement in history. Prior to that, Connecticut also co-led the multistate investigations into data breaches at Uber and Target. As with Equifax, those investigations shed light on widespread data safeguarding failures and yielded historic settlements.
Assistant attorneys general Michele Lucan, John Neumon, Áine DeMeo, and Jeremy Pearlman, Head of the Privacy and Data Security Department, assisted the Attorney General in this matter.