HARTFORD, Conn — Attorney General William Tong has announced that Connecticut has obtained a $39.5 million, multistate settlement with Anthem. The settlement stems from the massive 2014 data breach that involved 78.8 million Americans' personal information.
In the settlement, Anthem has resolved with a 43-state coalition and California. Connecticut will receive $3.8 million from the settlement. In addition to the payment, Anthem has also agreed to a series of data security and governance provisions designed to strengthen its future practices.
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to access Anthem's data warehouse. There, the attackers were able to collect names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for tens of millions of Americans.
In Connecticut, 1.7 million residents were affected by the breach.
"Nearly half of Connecticut's residents were impacted by this breach. It involved some of our most personal information, including Social Security numbers, phone numbers, healthcare identification numbers, and more," said Attorney General Tong. "This settlement sends a strong message that state attorneys general will fight to protect consumer privacy and data security."
Some of the provisions Anthem has agreed to are:
• a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
• implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
• specific security requirements concerning segmentation, logging and monitoring, anti-virus maintenance, access controls, and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
• third-party security assessments and audits for three years, as well as a condition that Anthem makes its risk assessments available to a third-party assessor during that term.
In the immediate wake of the breach, at the request of the Connecticut Office of the Attorney General, Anthem had reportedly offered an initial two years of credit monitoring to all affected U.S. individuals at a high cost to the company.
In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.
The AG Tong said Connecticut was among the first to form a dedicated Privacy and Data Security Department. The protection of consumer privacy and data security continues to be a top priority of their office.
