USA: AGs reach $39.5 million settlement with Anthem over 2014 data breach
The New York Attorney General ('AG'), Letitia James, announced, on 30 September 2020, that she, along with 42 AGs, had entered into a $39.5 million settlement with Anthem, Inc. over a 2014 data breach affecting the personal information of 78.8 million customers nationwide, in violation of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). In particular, the AG outlined that the data breach resulted in unauthorised actors gaining access to Anthem's data warehouse, where Anthem harvested names, dates of birth, social security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information. In addition, the AG noted that Anthem will make changes to its security protocols to strengthen practices, including prohibiting the misrepresentation of the extent to which Anthem protects consumers' personal information, and implementing a comprehensive information security program that incorporates principles of zero trust architecture and includes regular security reporting. Moreover, the AG highlighted that Anthem must also schedule third-party security assessments and audits for three years, make its risk assessments available to a third-party assessor during that term, and must set up specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, and penetration testing, among others.
The NY AG was joined by the AGs of Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.