Health benefits provider Anthem has reached a settlement with 43 states, resolving the last of a series of lawsuits over a 2014 cyberattack. The company will pay the states $39.5 million.
The company previously agreed to a more than $16 million settlement with the U.S. Justice Department to resolve privacy issues resulting from the hack that exposed personal information on nearly 79 million people.
“Protecting the privacy of its customers should be Anthem’s top priority, otherwise people are left vulnerable and exposed,” said Ohio Attorney General Dave Yost. “The fear of having your identity stolen is alarming and it will take time to rebuild that public trust.”
Through the combined action, Yost said Ohio will receive $1.88 million from the settlement. Other states will receive similar amounts. In addition to the payments, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.
“Data breaches have far-reaching and long-lasting effects on people’s lives,” said Florida Attorney General Ashley Moody. “When companies fail to protect customers’ personal information, they owe it to the public to disclose that information quickly and to take steps to protect them from further damage.”
Timing of disclosure
The timing of the disclosure was one of the central issues in the states’ case. In February 2015, Anthem disclosed to the public that hackers had gained entry to its systems beginning in February 2014 by using malware installed through a phishing email.
Once inside, the attackers gained access to Anthem’s data warehouse, where they stole names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.
“Protecting consumer data is incredibly important, and when companies or corporations who store large amounts of consumer data fail to safeguard that data, they must be held accountable,” said Attorney General Eric Schmitt.
In addition to the financial settlement, Anthem has agreed to strengthen its network security protocols to avoid similar incidents in the future.
Among the steps, Anthem said it will implement a comprehensive information security program that incorporates principles of zero-trust architecture and includes regular security reports made to the Board of Directors and prompt notice of significant security events to the CEO.
It has also agreed to an assessment and audit of its security practices by a third-party for three years.