AG Fitch joins $39.5M multistate settlement over 2014 Anthem Data Breach


JACKSON, Miss. (WJTV) – On Wednesday, Attorney General Lynn Fitch announced that Mississippi has joined a $39.5 million settlement with Anthem stemming from the massive 2014 data breach involving the personal information of 78.8 million Americans.

Through the settlement, Anthem has reached a resolution with the 43-state coalition and California. Mississippi will receive nearly $197,000 from the settlement. In addition to the payment, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.

“As we all become more dependent on the vast and ever-expanding digital infrastructure, we must also be vigilant in keeping Americans safe by combatting cybercrime and cyber-enabled threats,” said Attorney General Lynn Fitch. “The Anthem cyberattack impacted tens of millions of Americans, releasing their sensitive and personal information to malicious actors on the dark web. This settlement reaffirms my commitment to hold companies accountable in their implementation and execution of strong security practices and their duty to protect users’ personal information.”

In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. In Mississippi, 164,216 residents were affected by the breach. 

Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. Those include: a prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information; implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO; specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and third-party security assessments and audits for three (3) years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.

In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.


Copyright 2020 Nexstar Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Trending Stories