Rutledge Announces Arkansas Joins Multistate Data Breach Settlement
October 2, 2020
Company to change its business practices to better protect consumer information
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge today announced that Arkansas has joined a $39.5 million multistate settlement with Anthem stemming from the massive 2014 data breach in which cyber attackers were able to gain access to the personal information of 190,174 Arkansas residents. In total, 78.8 million Americans were affected by the breach. Arkansas will receive $205,524.91 from the settlement.
“Anthem is being held accountable for allowing hackers to take advantage and scam Arkansas families,” said Attorney General Rutledge. “Arkansans need to trust their information is private and in good hands online. Settlements like this ensure companies take the necessary steps to protect sensitive data.”
In February 2015, Anthem disclosed that cyber attackers had infiltrated its systems beginning in February 2014, using malware installed through a phishing email. The attackers were ultimately able to gain access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers and employment information.
In addition to the payment, Anthem has also agreed to a series of data security and good governance provisions designed to strengthen its information security practices going forward. Those include:
A prohibition against misrepresentations regarding the extent to which Anthem protects the privacy and security of personal information;
- Implementation of a comprehensive information security program and including regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO.
- Specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements.
- Third-party security assessments and audits for three years, as well as a requirement that Anthem make its risk assessments available to a third-party assessor during that term.
In the immediate wake of the breach, Anthem offered an initial two years of credit monitoring to all affected U.S. individuals.
In addition to this settlement, Anthem previously entered into a class action settlement that established a $115 million settlement fund to pay for additional credit monitoring, cash payments of up to $50, and reimbursement for out-of-pocket losses for affected consumers. The deadlines for consumers to submit claims under that settlement have since passed.
In addition to Arkansas, the settlement is led by Connecticut and signed on by the Attorneys General of Illinois, Indiana, Kentucky, Massachusetts, Missouri, and New York, and joined by the Attorneys General of Alaska, Arizona, Colorado, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin.