Anthem to Pay $39.5 Million in Multistate Settlement over 2014 Data Breach

PHOENIX – Attorney General Mark Brnovich today announced that Anthem, Inc. has agreed to pay Arizona over $280,000 to resolve allegations stemming from a 2014 data breach that involved the personal information of 78.8 million Americans. The settlement with the Arizona Attorney General’s Office (AGO) is part of a $39.5 million settlement with 43 total states and the District of Columbia. In addition to the payment, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.

In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to access Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans. In Arizona, over 400,000 residents were affected by the breach.

"If a business or a government agency can't meet their obligations to prevent a data breach or to adequately protect consumers after a breach, they need to be held accountable,” said Attorney General Brnovich. “Attorneys General are working together to use all available laws to ensure companies take the protection of consumer data seriously.”

Under the settlement, Anthem has agreed to a series of provisions designed to strengthen its security practices going forward. Those include

  • Prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
  • Implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
  • Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements, and;
  • Third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.

Anthem previously offered two years of credit monitoring to all affected U.S. individuals.

The $280,000 to Arizona will be used to investigate and pursue other consumer fraud related actions by the AGO, including other data breach investigations.

In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.

In 2018, Attorney General Brnovich worked with the legislature to strengthen Arizona's data breach consumer protection laws. HB2154 bolstered protections and added notification requirements for victims of a data breach, including: 

  • Expanding the definition of protected “personal information” to include online account credentials, as well as an individual’s name in combination with health insurance or other medical information, passport or taxpayer-identification numbers, or certain biometric data;
  • Requiring that notice to individuals affected by a breach be provided within 45 days after determining that a breach has occurred (whereas existing law provided no definitive deadline);
  • Clarifying the necessary content and available delivery methods for notifications to consumers;
  • Requiring notification to the three largest consumer reporting agencies for any breach involving more than 1,000 individuals;
  • Increasing the maximum civil penalty for a knowing or willful violation of the statute from $10,000 per breach to $500,000 per breach; and
  • Clearly explaining the Attorney General’s powers in connection with the investigation and enforcement of data-breach matters.

Other AGO cases regarding data breaches:
$18.5 Settlement with Target after Data Breach
First-Ever Settlement in HIPAA Data Breach Lawsuit
$148 Million Settlement With Uber Over Data Breach
$10 Million Settlement Premera Blue Cross Data Breach
$1.5 Data Breach Settlement With Neiman Marcus
$5.5 Million Settlement with Nationwide Insurance 
$600 Million Equifax Settlement

Arizona was joined in the case and settlement by the Attorneys General of Alaska, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.