Indiana Attorney General Curtis Hill on Thursday announced that Indiana has joined a $39.5 million multistate settlement with Indianapolis-based Anthem. The settlement stems from a 2014 data breach that exposed millions of Americans’ personal information.
In February 2015, Anthem disclosed that cyberattackers infiltrated its systems beginning in February 2014, using malware installed through a phishing email. A federal grand jury last year indicted members of a China-based hacking group on charges related to a series of computer intrusions, including a data breach of Anthem.
The cyberattackers were able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers and employment information for 78.8 million Americans. About 4,558,354 Indiana residents were impacted by the breach.
“Consumers are vulnerable when companies entrusted to protect their personal information fail to take the appropriate steps to do so,” Hill said. “We are reassured by Anthem’s commitment to improve its data security practices and are confident that the company will not repeat past mistakes.”
Indiana will receive $2,682,793.39 from the settlement, all of which will go to the Agency Settlement Fund. In addition to this payment, Anthem agreed to a series of provisions designed to strengthen its security practices. Those provisions include:
- Prohibiting misrepresentations about the extent to which Anthem protects the privacy and security of personal information;
- Implementing a comprehensive information security program that incorporates principles of zero-trust architecture. This includes regularly reporting security matters to the Board of Directors and promptly notifying the CEO of significant security threats;
- Implementing security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing and employee training, among other requirements; and
- Conducting third-party security assessments and audits for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.
Through this settlement, Anthem has reached a resolution with Indiana and 42 other states. California has also reached its own settlement with Anthem.
Court documents related to this multistate settlement are available here and here.
Previously, Anthem entered into a class-action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50 for affected Americans and the reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have passed.