Attorney General James Helps Secure $39.5 Million After Anthem’s 2014 Data Breach

New York to Receive More Than $2.7 Million

NEW YORK – New York Attorney General Letitia James today announced a multistate settlement with health insurance company Anthem, Inc. that resolves a massive 2014 data breach that compromised the personal information of 78.8 million customers nationwide, including more than 4.6 million customers in New York state alone. The breach gave attackers access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information. Today’s agreement resolves the cyber-attack by forcing Anthem to pay the multistate coalition a total $39.5 million in penalties and fees — more than $2.7 million of which will go to New York state directly. In addition to the payment, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.

“New Yorkers have every reasonable expectation that their private health information will remain private and protected by their doctors and especially by their health insurance companies,” said Attorney General James. “This agreement signals that Anthem is committed to protecting consumers’ private information. In addition to bringing over $2.7 million into the state, affected New Yorkers will also be provided free credit report monitoring, along with Anthem’s commitment to strengthen security protocols.”

In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014 using malware installed through a phishing email.

Not only will Anthem specifically pay New York $2,715,495.21 as a result of today’s agreement, but the company will make a series of changes to its security protocols designed to strengthen practices going forward, including:

  • Prohibiting the misrepresentation of the extent to which Anthem protects the privacy and security of consumers’ personal information;
  • Implementing a comprehensive information security program that incorporates principles of zero trust architecture and includes regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
  • Setting up specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
  • Scheduling third-party security assessments and audits for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.

In addition to today’s agreement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50 per individual breached, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.

The Office of the New York Attorney General was a member of the multistate Executive Committee along with the attorneys general of Connecticut, Illinois, Indiana, Kentucky, Massachusetts, and Missouri. They were joined by the attorneys general of Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, Wisconsin, and the District of Columbia. Additionally, the attorney general of California entered into a similar, but separate agreement.

This matter was handled by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and which is overseen by First Deputy Attorney General Jennifer Levy.