TRENTON – Attorney General Gurbir S. Grewal announced today that New Jersey will receive $527,055 as part of a multi-state settlement with health insurance provider Anthem, Inc. The settlement resolves an investigation by the participating states into a massive data breach that impacted the personal information of tens of millions of Americans – including more than 1.15 million New Jersey residents.
Overall, Anthem will pay the participating states a total of $39.5 million under the settlement and implement a series of cyber-security and good governance provisions aimed at strengthening its practices going forward.
“Companies have a duty to maintain effective security measures to safeguard the mountains of personal information they collect from consumers,” said Attorney General Grewal. “When they fall short, it becomes all too easy for criminals to steal consumer’ sensitive data. Today’s settlement should send a message to all companies that they will be held accountable if their lapses allow a data breach to harm the public.”
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems through a months-long, continuous cyber-attack that began in February 2014 with malware installed through a spear phishing email.
The states’ investigation revealed that, between December 2, 2014 and January 27, 2015, the cyber attackers used harvested credentials to run numerous unauthorized queries and access personal information in Anthem’s data warehouse. There, they captured names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information for 78.8 million Americans.
“Consumers who are asked – and often required – to entrust companies with their highly-sensitive personal data have a right to expect that such information will be protected through appropriate security measures,” said Acting Division of Consumer Affairs Director Paul R. Rodríguez. “That did not happen here, and more than 1.15 million New Jersey residents had their personal data compromised. This is unacceptable. Going forward, Anthem must do a better job of securing consumers’ personal information, and the terms of today‘s settlement should help ensure that they do.”
Under the settlement announced today, Anthem has agreed to a series of provisions designed to enhance accountability and solidify its security practices. Those include:
a prohibition against misrepresentations regarding the extent to which Anthem
protects the privacy and security of personal information;
implementation of a comprehensive information security program, incorporating principles of zero trust architecture, and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO;
specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
third-party security assessments and audits for three (3) years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.
In the immediate wake of the Anthem breach, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals. In addition to the settlement announced today, Anthem previously entered into a class action settlement that established a $115 million fund to pay for additional credit monitoring, cash payments of up to $50 per affected consumer, and reimbursement for out-of-pocket losses for affected consumers.
In addition to New Jersey, these states and jurisdictions are involved in the settlement announced today: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Missouri, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New York, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.
Kashif T. Chand, Section Chief of the Division of Law’s Data Privacy and Cybersecurity Section, and Law Clerk Gina Pittore, of the Data Privacy and Cybersecurity Section, handled the Anthem matter on behalf of the State.
