Missouri Attorney General Eric Schmitt, along with a coalition of state attorneys general, today announced a $ 39.5 million multi-state deal with Anthem resulting from the 2014 massive data breach involving 78 personal information. 8 million Americans.
Through the deal, Anthem reached a resolution with the multi-state coalition of 43 states. Missouri will receive $ 1,841,839.64 from the settlement. In addition to payment, Anthem has also accepted a number of data security and good governance provisions designed to strengthen its practices in the future.
In February 2015, Anthem revealed that cyber attackers had infiltrated its systems as of February 2014, using malware installed via a phishing email. Eventually the attackers were able to access Anthem’s data warehouse, where they collected names, dates of birth, social security numbers, health identification numbers, home addresses, email addresses, telephone numbers and information about the occupation for 78.8 million Americans. In Missouri, 2,041,985 residents were affected by the breach.
“Protecting consumer data is incredibly important, and when companies or companies that store large amounts of consumer data fail to safeguard that data, they must be held accountable,” Attorney General Schmitt said. “This is another example of the great work that can be done when state attorneys general across the country work together.”
Under the agreement, Anthem has accepted a number of provisions designed to strengthen its security practices in the future. These include:
- a ban on misrepresentation as to the extent to which Anthem protects the privacy and security of personal information;
- Implementing a comprehensive information security program that incorporates zero trust architecture principles and includes periodic security reporting to the Board of Directors and timely notification of significant security events to the CEO;
- specific security requirements in relation to segmentation, logging and monitoring, antivirus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training, among other requirements; is
- third party security assessments and audits for three (3) years, as well as the requirement for Anthem to make its risk assessments available to a third party assessor during that period.
In the immediate wake of the breach, Anthem offered the first two years of credit monitoring to all affected US individuals.
In addition to this deal, Anthem previously entered into a class action agreement that established a $ 115 million settlement fund to pay for additional credit monitoring, cash payments of up to $ 50, and reimbursement for out-of-pocket losses for affected consumers. . The time limits for consumers to submit complaints under this transaction have expired.
The Connecticut Attorney General’s Office conducted the multistate investigation, assisted by the attorneys general of Illinois, Indiana, Kentucky, Massachusetts, Missouri and New York, and joined the attorneys general of Alaska, Arizona, Arkansas, Colorado, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.