Anthem reaches $39.5M settlement with 43 states over data breach
The settlement also calls on the health benefits company to agree to several provisions aimed at protecting the privacy of individuals.
A 43-state coalition—including Connecticut, New York, Florida and California—announced Wednesday they’d reached a $39.5 million settlement with Anthem Inc., over a 2014 data breach that involved the personal information of nearly 80 million Americans.
Under the agreement, Anthem will pay California $8.69 million, Connecticut $3.8 million, New York $2.7 million, Florida about $600,000, New Jersey about $527,000 and Delaware $162,700, among other states.
The settlement also calls on the Indianapolis-based heath benefits company to agree to several provisions aimed at protecting the privacy of individuals.
Related: Data breaches cost health organizations $12 billion last year
Anthem must also meet specific requirements for monitoring and anti-virus maintenance. New employees must also undergo initial training on safeguarding customer privacy, plus all staff must get annual training on the proper handling of personal information and protected health information.
“Anthem takes the security of its data and the personal information of consumers seriously and is committed to safeguarding protected health information and personal information, while adapting to the evolving health care information security environment,” the company said on its website. “Anthem continues to invest in a secure framework, security software and hardware.”
In February 2015, Anthem announced that cyber attackers had infiltrated its network the previous year. It said the breach extended into multiple brands, including Anthem Blue Cross and Anthem Blue Cross and Blue Shield.
The attorneys general who were part of the coalition said the settlement sends a strong message to businesses to do what they can now to protect against breaches.
“Nearly half of all Connecticut residents were impacted by this massive breach, involving some of our most personal information, including Social Security numbers, phone numbers, healthcare identification numbers, addresses and more. … This settlement sends a strong message that state attorneys general will fight to protect consumer privacy and data security,” said Connecticut Attorney General William Tong.
New York Attorney General Letitia James said more than 4.6 million New Yorkers had their personal information compromised.
“New Yorkers have every reasonable expectation that their private health information will remain private and protected by their doctors and, especially, by their health insurance companies,” James said.
Echoing those sentiments was California Attorney General Xavier Becerra, whose state will receive the most from the settlement.
“Consumers are left with little choice but to trust their personal health information will be safe and secure. Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now, Anthem gets hit with a penalty, in the millions, in return.”
And Florida Attorney General Ashley Moody said, “Data breaches have far-reaching and long-lasting effects on people’s lives. When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage.”
Read more: